CN108833282A - Data forwarding method, system, device and SDN switch - Google Patents
Data forwarding method, system, device and SDN switch Download PDFInfo
- Publication number
- CN108833282A CN108833282A CN201810659380.8A CN201810659380A CN108833282A CN 108833282 A CN108833282 A CN 108833282A CN 201810659380 A CN201810659380 A CN 201810659380A CN 108833282 A CN108833282 A CN 108833282A
- Authority
- CN
- China
- Prior art keywords
- data packet
- sent
- proxy server
- sdn switch
- receiving end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
- H04L49/3009—Header conversion, routing tables or routing tags
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides a kind of data forwarding method, system, device and SDN switch, belongs to Internet technical field.This method receives the data packet that transmitting terminal is sent to receiving end by SDN switch,Then SDN switch sends data packets to proxy server,So that the proxy server judges whether the data packet is Attacking Packets,When it is Attacking Packets that proxy server, which judges the data packet not,,Obtain the data packet that the proxy server is sent,Then the data packet is sent to the receiving end according to the destination address by the SDN switch,So that the receiving end obtains the address of the transmitting terminal from the data packet,Thus,SDN switch is carrying out that the content in data packet need not be changed when data packet forwarding,Receiving end can obtain the address information of transmitting terminal from received data packet,So as to be traced to transmitting terminal,The operation such as statistics or analysis,Improve the reliability traced to data packet.
Description
Technical field
The present invention relates to Internet technical fields, in particular to a kind of data forwarding method, system, device and SDN
Interchanger.
Background technique
Seven layer network protectiving schemes are typically all that the method based on agency is realized, request arrives first at proxy server, by
It is forwarded to destination server again after proxy server filtering query-attack.In traditional layer transparent Proxy Method, user terminal
Do not know and judge whether data packet needs to act on behalf of after the presence of proxy server, proxy server receive request, if so, by generation
Reason server forwards the data to destination server, then the data forwarding that destination server is returned is acted on behalf of to user terminal
Server carries out the transfer and interaction of data packet as intermediate equipment between user terminal and destination server.
And in traditional transparent proxy method, it is necessary to be disposed and be configured by certain network topology to meet agency's clothes
Business device carries out the function of interim data.Its proxy server in the source address that needed when data packet forwarding in data packet and
Destination address is changed, i.e., when user terminal sends data packet to destination server, the source address in the data packet is to use
The address of family terminal, destination address is the address of proxy server, and proxy server sends data packets to destination server
When, the source address in data packet need to be changed to the address of proxy server by proxy server, and destination address is changed to destination server
Address the address that source address is proxy server, institute can only be obtained from data packet so destination server receives data packet
It not can know that the data packet is sent from which user terminal with destination server, to can not carry out to user terminal
Retrospect also the operation such as can not be counted or be analyzed to the user terminal for sending data packet.
Summary of the invention
In view of this, be designed to provide a kind of data forwarding method, system, device and the SDN of the embodiment of the present invention are handed over
It changes planes, to improve the above problem.
In a first aspect, the embodiment of the invention provides a kind of data forwarding method, the method includes:
SDN switch receives the data packet that transmitting terminal is sent to receiving end, includes source address and purpose in the data packet
Address, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
The data packet is sent to proxy server by the SDN switch, so that described in proxy server judgement
Whether data packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, obtains institute
State the data packet of proxy server transmission;
The data packet is sent to the receiving end according to the destination address by the SDN switch, so that described connect
Receiving end obtains the address of the transmitting terminal from the data packet.
Further, the SDN switch obtains transmitting terminal and is sent to after the data packet of receiving end, the SDN exchange
The data packet is sent to proxy server by machine, so that the proxy server judges whether the data packet is attack data
Packet detection, it is described before obtaining the proxy server to judge the data packet or not sent when being Attacking Packets
Method further includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, then follow the steps:The data packet is sent to proxy server by the SDN switch, so that institute
It states proxy server and judges whether the data packet is Attacking Packets detection, obtain the proxy server and judge the data
The data packet that packet is sent when not being Attacking Packets.
Further, the SDN switch obtains transmitting terminal and is sent to after the data packet of receiving end, the SDN exchange
The data packet is sent to proxy server by machine, so that the proxy server judges whether the data packet is attack data
Packet detection, it is described before obtaining the proxy server to judge the data packet or not sent when being Attacking Packets
Method further includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, the SDN switch sends inquiry message to SDN controller;
The SDN switch receives the forward rule sent from the SDN controller according to the inquiry message, described
The data packet for carrying the Agent Markup is sent to the proxy server for the SDN switch by forward rule;
The data packet is sent to proxy server according to the forward rule by the SDN switch, so that the generation
Reason server judges whether the data packet is Attacking Packets detection, obtains the proxy server and judges the data packet not
The data packet sent when being Attacking Packets.
Further, the data packet is sent to the receiving end according to the destination address by the SDN switch, with
The receiving end is set to obtain the address of the transmitting terminal from the data packet, including:
The data packet is sent to the reception according to default forward mode according to destination address by the SDN switch
End, so that the receiving end obtains the address of the transmitting terminal from the data packet.
Second aspect, the embodiment of the invention provides a kind of data forwarding system, the data forwarding system includes sending
End, SDN switch, proxy server and receiving end, the transmitting terminal and the SDN switch communicate to connect, and the SDN is handed over
It changes planes and is connect with the proxy server communication, the SDN switch and the receiving end communicate to connect;
The transmitting terminal includes source address and destination in the data packet for sending data packet to the receiving end
Location, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
The SDN switch, for receiving the data packet;
The SDN switch is also used to the data packet being sent to proxy server;
The proxy server is sentenced for judging whether the data packet is Attacking Packets in the proxy server
When the data packet of breaking is not Attacking Packets, the data packet is sent to the SDN switch;
The SDN switch is also used to obtain the data packet that the proxy server is sent;
The SDN switch is also used to that the data packet is sent to the receiving end according to the destination address, so that
The receiving end obtains the address of the transmitting terminal from the data packet.
The third aspect, the embodiment of the invention provides a kind of data forwarding devices, run on SDN switch, described device
Including:
Packet-receiving module, the data packet for being sent to receiving end for receiving transmitting terminal include source in the data packet
Address and destination address, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
First forwarding module, for the data packet to be sent to proxy server, so that the proxy server judges
Whether the data packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, is obtained
The data packet for taking the proxy server to send;
Second forwarding module, for the data packet to be sent to the receiving end according to the destination address, so that institute
State the address that receiving end obtains the transmitting terminal from the data packet.
Further, described device further includes:
Agent Markup detection module when to be, is executed for judging whether carry Agent Markup in the data packet
Step performed by second forwarding module.
Further, described device further includes:
Agent Markup detection module, for judging whether carry Agent Markup in the data packet, when to be, to
SDN controller sends inquiry message;
Forward rule receiving module, for receiving the forwarding sent from the SDN controller according to the inquiry message
The data packet for carrying the Agent Markup is sent to the agency for the SDN switch and taken by rule, the forward rule
Business device;
First forwarding module, specifically for the data packet is sent to agency service according to the forward rule
Device obtains the proxy server and sentences so that the proxy server judges whether the data packet is Attacking Packets detection
Break the data packet sent when the data packet is not Attacking Packets.
Further, second forwarding module, being specifically used for will be described according to default forward mode according to destination address
Data packet is sent to the receiving end, so that the receiving end obtains the address of the transmitting terminal from the data packet.
Fourth aspect, the embodiment of the present invention provide a kind of SDN switch, including processor and memory, the storage
Device is stored with computer-readable instruction fetch, and when the computer-readable instruction fetch is executed by the processor, operation is such as above-mentioned
The step in the method that first aspect provides.
The beneficial effect of the embodiment of the present invention is:
The embodiment of the present invention provides a kind of data forwarding method, system, device and SDN switch, and this method passes through SDN and hands over
It changes planes and receives the data packet that transmitting terminal is sent to receiving end, include source address and destination address, the source in the data packet
Location is the address of the transmitting terminal, and the destination address is the address of the receiving end, and then the SDN switch is by the number
It is sent to proxy server according to packet, so that the proxy server judges whether the data packet is Attacking Packets, described
Proxy server judges the data packet not when being Attacking Packets, obtains the data packet that the proxy server is sent, then
The data packet is sent to the receiving end according to the destination address by the SDN switch, so that the receiving end is from institute
The address that the transmitting terminal is obtained in data packet is stated, SDN switch need not change data packet when carrying out data packet forwarding as a result,
In content, receiving end can obtain the address information of transmitting terminal from received data packet, so as to be traced to transmitting terminal,
The operation such as statistics or analysis, improves the reliability traced to data packet.
Other features and advantages of the present invention will be illustrated in subsequent specification, also, partly be become from specification
It is clear that by implementing understanding of the embodiment of the present invention.The objectives and other advantages of the invention can be by written theory
Specifically noted structure is achieved and obtained in bright book, claims and attached drawing.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 is the structural block diagram of data forwarding system in the prior art;
Fig. 2 is a kind of structural block diagram of data forwarding system provided in an embodiment of the present invention;
Fig. 3 shows a kind of structural block diagram that can be applied to the electronic equipment in the embodiment of the present application;
Fig. 4 is a kind of flow chart of data forwarding method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural block diagram of data forwarding device provided in an embodiment of the present invention;
Fig. 6 is a kind of structural block diagram of SDN switch provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Usually exist
The component of the embodiment of the present invention described and illustrated in attached drawing can be arranged and be designed with a variety of different configurations herein.Cause
This, is not intended to limit claimed invention to the detailed description of the embodiment of the present invention provided in the accompanying drawings below
Range, but it is merely representative of selected embodiment of the invention.Based on the embodiment of the present invention, those skilled in the art are not doing
Every other embodiment obtained under the premise of creative work out, shall fall within the protection scope of the present invention.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.Meanwhile of the invention
In description, term " first ", " second " etc. are only used for distinguishing description, are not understood to indicate or imply relative importance.
Fig. 1 is the structural block diagram of data forwarding system in the prior art, in all-transparent Proxy Signature Scheme in the prior art,
Source address and destination address in data packet is on proxy server, for example, user terminal IP address is CIP, user terminal
Port is CPORT, and the IP address of proxy server is VIP, and proxy server port is VPORT, the IP address of destination server
For RIP, destination server port is RPORT.The process of user terminal access destination server is as follows:
1, user terminal sends TCP/IP data packet to proxy server, and data packet format is:
CIP:CPORT→VIP:VPORT
2, after proxy server receives user terminal data packet, changing data packet format is
VIP:VPORT→RIP:RPORT is sent to destination server
3, after destination server receives Proxy Data packet, request is returned to, data packet format is:
RIP:RPORT→VIP:VPORT
4, after proxy server receives data packet, user terminal is returned to, data packet format is:
VIP:VPORT→CIP:CPORT
So the destination address for the data packet that proxy server receives is necessary for the IP address of proxy server, it is necessary to be
The address for the network interface card that can locally monitor;The source address for the data packet that proxy server is sent out is with being necessary for the IP of proxy server
Location, it is also necessary to for the address of the local network interface card that can be monitored.The source address received in proxy server is only proxy server
Address, so, destination server can not receive the address and port of user terminal, thus can not be traced to the source user terminal,
The operation such as statistics or analysis, in order to avoid the above problem, the embodiment of the invention provides a kind of data forwarding methods.
Defect present in the above scheme in the prior art, is that inventor is obtaining after practicing and carefully studying
As a result, therefore, the solution that the discovery procedure of the above problem and hereinafter the embodiment of the present application are proposed regarding to the issue above
Scheme all should be the contribution that inventor makes the application during the application.
Referring to figure 2., Fig. 2 is a kind of structural block diagram of data forwarding system provided in an embodiment of the present invention, the data
Repeater system includes transmitting terminal, SDN switch, proxy server and receiving end, and the transmitting terminal can be user terminal or mesh
Server, the receiving end may be user terminal or destination server, and transmitting terminal and receiving end are opposite both ends, i.e.,
When transmitting terminal is user terminal, receiving end is purpose server, and when transmitting terminal is purpose server, receiving end is that user is whole
End, the communication between transmitting terminal and receiving end are sent by data packet, which is forwarded by SDN switch,
Data packet is Attacking Packets in order to prevent, so proxy server can carry out attack detecting to the data packet, in the data packet
When not being Attacking Packets, receiving end is just sent data packets to by SDN switch.
SDN switch is the interchanger in SDN network, according to the needs of usage scenario, the exchange of SDN switch
Function can use software or hardware realization, wherein the SDN switch of software realization usually with virtualization Hypervisor phase
Integration, hard-wired interchanger can then support the networking based on hardware device, additionally it is possible to meet SDN network and traditional network
Mixed networking demand.
Its institute with general switch of SDN switch is functional, and special function is to support OpenFlow agreement,
SDN switch can be controlled and be managed by SDN controller.It is by being inputted on SDN controller for SDN switch
Flow table issues rule to SDN switch, then the data packet Jing Guo SDN switch is just forwarded according to these flow table rules, and passes
The interchanger of system is all that oneself determines how to forward after receiving data packet, for example, such as IP address is 172.16.1.88 hair one
A data packet is 172.16.1.89 to IP address, after conventional switch receives, is directly viewable oneself internal flow table, looks at IP
Address is the receiving end of 172.16.1.89 at which, is then sent, and SDN switch is also first to look for oneself internal first
Flow table (but this flow table is that SDN controller issues, and is that oneself is generated unlike general switch), if so, so
The forwarding of data packet is just done by flow table, if it is not, sending information to SDN controller, inquires how the SDN controller is located
Manage this data packet.
There is the definition of standard and relatively easy in the group Chengdu of forwarding table or routing table in conventional switch or router
Format, such as Layer 2 switch forwarding table is exactly the mapping relations of a device port and MAC Address, therefore is very suitable to adopt
It is efficiently realized with static specific integrated circuit, and forwarding table used in the forwarding decision in SDN switch may have
Extremely complex composed structure, the length of each list item and matching domain wherein included be all by taking OpenFlow as an example, in flow table
It is that can customize and revocable format.
And SDN switch can realize the function of drainage, i.e., data packet is directly drained to agency's clothes after receiving data packet
Business device carries out attack protection detection, so that the data packet that transmitting terminal is sent to receiving end is the data packet of normal legal, ensure that net
The safety of network transmission.
Proxy server is a kind of important server security function, also referred to as network agent, is a kind of special network clothes
Business allows a user terminal to carry out indirect company with another network terminal (generally server) by this service
It connects.
Referring to figure 3., Fig. 3 shows a kind of structural block diagram of electronic equipment 100 that can be applied in the embodiment of the present application.
Electronic equipment 100 may include data forwarding device, memory 101, storage control 102, processor 103, Peripheral Interface
104。
The memory 101, storage control 102, processor 103, each element of Peripheral Interface 104 between each other directly or
It is electrically connected indirectly, to realize the transmission or interaction of data.For example, these elements between each other can be logical by one or more
It interrogates bus or signal wire is realized and is electrically connected.The data forwarding device includes that at least one can be with software or firmware
(firmware) form is stored in the memory 101 or is solidificated in the operating system of the data forwarding device
Software function module in (operating system, OS).The processor 103 is used to execute to store in memory 101
Executable module, such as software function module or computer program that the data forwarding device includes.
Wherein, memory 101 may be, but not limited to, random access memory (Random Access Memory,
RAM), read-only memory (Read Only Memory, ROM), programmable read only memory (Programmable Read-Only
Memory, PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, EPROM),
Electricallyerasable ROM (EEROM) (Electric Erasable Programmable Read-Only Memory, EEPROM) etc..
Wherein, memory 101 is for storing program, and the processor 103 executes described program after receiving and executing instruction, aforementioned
Method performed by the server that the stream process that any embodiment of the embodiment of the present invention discloses defines can be applied to processor 103
In, or realized by processor 103.
Processor 103 can be a kind of IC chip, the processing capacity with signal.Above-mentioned processor 103 can
To be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit
(Network Processor, abbreviation NP) etc.;Can also be digital signal processor (DSP), specific integrated circuit (ASIC),
Ready-made programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hard
Part component.It may be implemented or execute disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor
It can be microprocessor or the processor 103 be also possible to any conventional processor etc..
Various input/output devices are couple processor 103 and memory 101 by the Peripheral Interface 104.Some
In embodiment, Peripheral Interface 104, processor 103 and storage control 102 can be realized in one single chip.Other one
In a little examples, they can be realized by independent chip respectively.
Various input/output devices are couple processor 103 and memory 101 by the Peripheral Interface 104.Some
In embodiment, Peripheral Interface 104, processor 103 and storage control 102 can be realized in one single chip.Other one
In a little examples, they can be realized by independent chip respectively.
It is appreciated that structure shown in Fig. 3 is only to illustrate, the electronic equipment 100 may also include more than shown in Fig. 3
Perhaps less component or with the configuration different from shown in Fig. 3.Each component shown in Fig. 3 can use hardware, software
Or combinations thereof realize.
Referring to figure 4., Fig. 4 is a kind of flow chart of data forwarding method provided in an embodiment of the present invention, and the method is answered
For SDN switch, described method includes following steps:
Step S110:SDN switch receives the data packet that transmitting terminal is sent to receiving end.
For the convenience of description, using transmitting terminal as user terminal in the embodiment of the present invention, receiving end be for destination service into
Row description.
It include source address and destination in the data packet if user terminal will send a data packet to destination server
Location, the source address are the address of the transmitting terminal (such as user terminal), and the destination address is the receiving end (purpose service
The address of device).For example, the IP address of the user terminal is 10.1.1.1, MAC Address 02:42:79:9d:01:3d, purpose
The IP address of server is 10.1.1.2, MAC Address 02:42:79:9d:01:3c, the then source address for including in data packet are
Source IP:And source MAC 10.1.1.1:02:42:79:9d:01:3d, destination address are purpose IP:10.1.1.2, purpose MAC:02:
42:79:9d:01:3c。
Step S120:The data packet is sent to proxy server by the SDN switch, so that the proxy server
Judge whether the data packet is Attacking Packets, judges that the data packet is not Attacking Packets in the proxy server
When, obtain the data packet that the proxy server is sent.
Step S130:The data packet is sent to the receiving end according to the destination address by the SDN switch, with
The receiving end is set to obtain the address of the transmitting terminal from the data packet.
Some forward rules are pre-defined on the SDN server, in order to carry out attack protection detection, control to data packet
Device processed can issue forward rule to SDN server, that is, be drained to proxy server progress attack protection inspection after getting data packet
It surveys, then proxy server detects whether the data packet is Attacking Packets after receiving the data packet, if the data packet is to attack
Data packet is hit, then has been likely to contain attack information in the data packet, proxy server includes in detecting the data packet
After attacking information, the data packet is determined for Attacking Packets, if the data packet is Attacking Packets, proxy server sends logical
Know information inform the SDN switch data packet be Attacking Packets, be not transmitted to receiving end, then SDN switch can directly by
The data packet is abandoned, if the data packet is not Attacking Packets, the data packet after proxy server will test is sent
To SDN switch, then the data packet directly can be forwarded to receiving end by SDN switch.
SDN switch will not change the content in data packet when carrying out data forwarding, for example, SDN switch is obtaining
When to the data packet sent from transmitting terminal, proxy server is forwarded it to, if transmitting terminal IP is CIP, transmitting terminal port is
CPORT, receiving end IP are RIP, and receiving end port is RPORT, and the data packet format that transmitting terminal is sent is CIP:CPORT→RIP:
RPORT, indicates the destination address sent from source address, and SDN switch delivers a packet to the data packet lattice of proxy server
Formula is:CIP:CPORT→RIP:RPORT, the format that SDN switch sends data packets to receiving end are:CIP:CPORT→
RIP:RPORT, so the source address for the data packet that proxy server receives, source port or destination address, destination port are not
On proxy server, the IP for not needing source address or destination address is bundled on local network interface card, really realizes all-transparent agency,
The source address for the data packet that receiving end receives is also the address of transmitting terminal, rather than the address of SDN switch, thus convenient to source
Address is for statistical analysis.
So in embodiments of the present invention, source address and destination address in data packet be not in proxy server or SDN
On interchanger, proxy server or SDN switch do not change any content in data packet and realize between transmitting terminal and receiving end
Communication attack traffic is carried out on proxy server by using SDN switch by flow lead to proxy server
Cleaning, then by normal discharge be transmitted to that receiving end receiving end receives be true transmitting terminal request, rather than proxy server
Request.User terminal and destination server do not need to carry out the formal variation of any network topology, i.e. receiving end can be from number
According to the address for being directly obtained transmitting terminal in packet, so as to be counted to transmitting terminal, the operation such as traceability.
In addition, as an implementation, SDN switch can also be achieved the general forwarding capability of data, and some data
Packet may not be needed agency service, then can also be made whether that agency service is needed to detect to data, if the data packet needs
When carrying out agency service, then transmitting terminal can add corresponding identification information when sending the data packet in the packet, and mark should
Data packet needs to carry out agency service, i.e. attack protection detects, and identification information can be Agent Markup, then the SDN switch
When receiving the data packet of transmitting terminal transmission, judges whether carry Agent Markup in the data packet, when to be, then hold
Row step S120.
As an implementation, if not carrying out relevant configuration to SDN switch in advance, agency's mark will such as be carried
The data packet of label is forwarded to proxy server and carries out attack protection detection, then SDN switch carries Agent Markup receiving
After data packet, if the SDN switch can not know how to be handled the data packet, one can be sent to SDN controller and ask
Ask information, then SDN controller can issue a forward rule to SDN switch according to the inquiry message, and the forward rule is institute
It states SDN switch and the data packet for carrying the Agent Markup is sent to the proxy server, i.e., informing SDN switch will
The data packet for carrying Agent Markup is sent to proxy server, so pressing after SDN switch receives the forward rule
Proxy server is sent data packets to according to the forward rule.
In addition, the safety and precise transmission in order to guarantee data, the SDN switch can also be according to destination addresses according to default
The data packet is sent to the receiving end by forward mode, so that the receiving end obtains the transmission from the data packet
The address at end.
The data exchange mode of SDN switch determines that it forwards delay caused by the speed of data packet and exchange process
(i.e. SDN switch receives the time of data packet in a port and sends the time difference of the data packet in another port).
In practical applications, the forwarding of data packet is both wished to have alap forward delay to promote data transporting
Can, and want to verify data in repeating process, to guarantee the reliability of information transmission.
The data exchange mode of SDN switch can also have straight-through, scrappy, store the multiple choices such as forwarding.
Direct mode operation:SDN switch only carries out reception and analysis to the information of preceding 6 bytes of data frame, and by data
In the rest part direct shearing to exit port of frame.This is because preceding 6 bytes of data frame contain the purpose of the data frame
MAC Address, this has been enough to make forwarding decision for interchanger.Direct mode operation has the smallest forward delay, but it is not
Check the integrality of data, it is thus possible to " rascal " that can result in ethernet collision can be forwarded, to generate network
Integrity problem.
Scrappy tablet mode:SDN switch is received and is parsed to preceding 64 bytes of data frame first, then is turned
Why hair, select the length of 64 bytes, be as experience show that in ethernet networks, most " rascal " can be at this
It is detected in the treatment process of a little bytes.This mode is although it is possible to cause minimal amount of " rascal " missing inspection, but it is right
The overall performance of network influences less, therefore " fast-forwarding " is otherwise known as in many application scenarios.
Store and forward message mode:SDN switch needs are received and are parsed to the content of entire data frame, and Develop Data
The operation such as integrity check of frame, effectively to avoid the occurrence of mistake.
So, in order to guarantee the safe transmission of data, the default forward mode of SDN switch is in the embodiment of the present invention
Store and forward message mode, SDN switch, will according to store and forward message mode after receiving the data packet that proxy server sends over
Data packet is sent to receiving end, thus under store and forward message mode, after SDN switch can test to the integrality of data packet
It retransmits, ensure that the complete and safe of data.
Referring to figure 2., the data forwarding system in Fig. 2 includes transmitting terminal, SDN switch, proxy server and reception
End, the transmitting terminal and the SDN switch communicate to connect, and the SDN switch is connect with the proxy server communication, institute
It states SDN switch and the receiving end communicates to connect, above-mentioned data forwarding method is applied in the data forwarding system.
The transmitting terminal includes source address and destination in the data packet for sending data packet to the receiving end
Location, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
The SDN switch, for receiving the data packet;
The SDN switch is also used to the data packet being sent to proxy server;
The proxy server is sentenced for judging whether the data packet is Attacking Packets in the proxy server
When the data packet of breaking is not Attacking Packets, the data packet is sent to the SDN switch;
The SDN switch is also used to obtain the data packet that the proxy server is sent;
The SDN switch is also used to that the data packet is sent to the receiving end according to the destination address, so that
The receiving end obtains the address of the transmitting terminal from the data packet.
Referring to figure 5., Fig. 5 is a kind of structural block diagram of data forwarding device 200 provided in an embodiment of the present invention, the device
It runs in above-mentioned SDN switch, described device includes:
Packet-receiving module 210, the data packet for being sent to receiving end for receiving transmitting terminal include in the data packet
Source address and destination address, the source address are the address of the transmitting terminal, and the destination address is the address of the receiving end;
First forwarding module 220, for the data packet to be sent to proxy server, so that the proxy server is sentenced
Whether the data packet of breaking is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not,
Obtain the data packet that the proxy server is sent;
Second forwarding module 230, for the data packet to be sent to the receiving end according to the destination address, so that
The receiving end obtains the address of the transmitting terminal from the data packet.
As an implementation, described device further includes:
Agent Markup detection module when to be, is executed for judging whether carry Agent Markup in the data packet
Step performed by second forwarding module 230.
As an implementation, described device further includes:
Agent Markup detection module, for judging whether carry Agent Markup in the data packet, when to be, to
SDN controller sends inquiry message;
Forward rule receiving module, for receiving the forwarding sent from the SDN controller according to the inquiry message
The data packet for carrying the Agent Markup is sent to the agency for the SDN switch and taken by rule, the forward rule
Business device;
First forwarding module 220, specifically for the data packet is sent to agency's clothes according to the forward rule
Business device obtains the proxy server so that the proxy server judges whether the data packet is Attacking Packets detection
The data packet sent when to judge the data packet not be Attacking Packets.
As an implementation, second forwarding module 230 is specifically used for according to destination address according to default forwarding
The data packet is sent to the receiving end by mode, so that the receiving end obtains the transmitting terminal from the data packet
Address.
Fig. 6 is please referred to, Fig. 6 is a kind of structural block diagram of SDN switch provided in an embodiment of the present invention, the SDN switch
May include:At least one processor 410, such as CPU, at least one communication interface 420, at least one processor 430 and extremely
A few communication bus 440.Wherein, communication bus 440 is for realizing the direct connection communication of these components.Wherein, of the invention
The communication interface 420 of equipment is used to carry out the communication of signaling or data with other node devices in embodiment.Memory 430 can be with
It is high speed RAM memory, is also possible to non-labile memory (non-volatile memory), for example, at least a magnetic
Disk storage.Memory 430 optionally can also be that at least one is located remotely from the storage device of aforementioned processor.Memory
It is stored with computer-readable instruction fetch in 430, and has computer-readable instruction fetch luck in the execution memory 430 of processor 410
Step in the above-mentioned data forwarding method of row.
It is apparent to those skilled in the art that for convenience and simplicity of description, the device of foregoing description
Or the specific work process of system, it no longer can excessively be repeated herein with reference to the corresponding process in preceding method.
In conclusion the embodiment of the present invention provides a kind of data forwarding method, system, device and SDN switch, this method
Transmitting terminal is received by SDN switch and is sent to the data packet of receiving end, includes source address and destination address in the data packet,
The source address is the address of the transmitting terminal, and the destination address is the address of the receiving end, then the SDN switch
The data packet is sent to proxy server, so that the proxy server judges whether the data packet is attack data
Packet obtains the number that the proxy server is sent when it is Attacking Packets that the proxy server, which judges the data packet not,
According to packet, then the data packet is sent to the receiving end according to the destination address by the SDN switch, so that described connect
Receiving end obtains the address of the transmitting terminal from the data packet, and SDN switch need not change when carrying out data packet forwarding as a result,
Become the content in data packet, receiving end can obtain the address information of transmitting terminal from received data packet, so as to transmitting terminal
It the operation such as traced, counted or is analyzed, improve the reliability traced to data packet.
In several embodiments provided herein, it should be understood that disclosed device and method can also pass through
Other modes are realized.The apparatus embodiments described above are merely exemplary, for example, flow chart and block diagram in attached drawing
Show the device of multiple embodiments according to the present invention, the architectural framework in the cards of method and computer program product,
Function and operation.In this regard, each box in flowchart or block diagram can represent the one of a module, section or code
Part, a part of the module, section or code, which includes that one or more is for implementing the specified logical function, to be held
Row instruction.It should also be noted that function marked in the box can also be to be different from some implementations as replacement
The sequence marked in attached drawing occurs.For example, two continuous boxes can actually be basically executed in parallel, they are sometimes
It can execute in the opposite order, this depends on the function involved.It is also noted that every in block diagram and or flow chart
The combination of box in a box and block diagram and or flow chart can use the dedicated base for executing defined function or movement
It realizes, or can realize using a combination of dedicated hardware and computer instructions in the system of hardware.
In addition, each functional module in each embodiment of the present invention can integrate one independent portion of formation together
Point, it is also possible to modules individualism, an independent part can also be integrated to form with two or more modules.
It, can be with if the function is realized and when sold or used as an independent product in the form of software function module
It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-OnlyMemory), arbitrary access are deposited
The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic or disk.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.It should be noted that:Similar label and letter exist
Similar terms are indicated in following attached drawing, therefore, once being defined in a certain Xiang Yi attached drawing, are then not required in subsequent attached drawing
It is further defined and explained.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Claims (10)
1. a kind of data forwarding method, which is characterized in that the method includes:
SDN switch receives transmitting terminal and is sent to the data packet of receiving end, includes source address and destination address in the data packet,
The source address is the address of the transmitting terminal, and the destination address is the address of the receiving end;
The data packet is sent to proxy server by the SDN switch, so that the proxy server judges the data
Whether packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, obtains the generation
Manage the data packet that server is sent;
The data packet is sent to the receiving end according to the destination address by the SDN switch, so that the receiving end
The address of the transmitting terminal is obtained from the data packet.
2. the method according to claim 1, wherein the SDN switch, which obtains transmitting terminal, is sent to receiving end
Data packet after, the data packet is sent to proxy server by the SDN switch so that the proxy server judge
Whether the data packet is Attacking Packets detection, obtains the proxy server and judges that the data packet is not Attacking Packets
When the data packet that sends before, the method also includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, then follow the steps:The data packet is sent to proxy server by the SDN switch, so that the generation
Reason server judges whether the data packet is Attacking Packets detection, obtains the proxy server and judges the data packet not
The data packet sent when being Attacking Packets.
3. the method according to claim 1, wherein the SDN switch, which obtains transmitting terminal, is sent to receiving end
Data packet after, the data packet is sent to proxy server by the SDN switch so that the proxy server judge
Whether the data packet is Attacking Packets detection, obtains the proxy server and judges that the data packet is not Attacking Packets
When the data packet that sends before, the method also includes:
The SDN switch judges whether carry Agent Markup in the data packet;
When to be, the SDN switch sends inquiry message to SDN controller;
The SDN switch receives the forward rule sent from the SDN controller according to the inquiry message, the forwarding
The data packet for carrying the Agent Markup is sent to the proxy server for the SDN switch by rule;
The data packet is sent to proxy server according to the forward rule by the SDN switch, so that the agency takes
Business device judges whether the data packet is Attacking Packets detection, obtains the proxy server and judges that the data packet is not attacked
The data packet sent when hitting data packet.
4. the method according to claim 1, wherein the SDN switch will be described according to the destination address
Data packet is sent to the receiving end, so that the receiving end obtains the address of the transmitting terminal from the data packet, including:
The data packet is sent to the receiving end according to default forward mode according to destination address by the SDN switch, with
The receiving end is set to obtain the address of the transmitting terminal from the data packet.
5. a kind of data forwarding system, which is characterized in that the data forwarding system includes transmitting terminal, SDN switch, agency's clothes
Business device and receiving end, the transmitting terminal and the SDN switch communicate to connect, the SDN switch and the agency service
Device communication connection, the SDN switch and the receiving end communicate to connect;
The transmitting terminal includes source address and destination address, institute in the data packet for sending data packet to the receiving end
The address that source address is the transmitting terminal is stated, the destination address is the address of the receiving end;
The SDN switch, for receiving the data packet;
The SDN switch is also used to the data packet being sent to proxy server;
The proxy server judges institute in the proxy server for judging whether the data packet is Attacking Packets
When to state data packet not be Attacking Packets, the data packet is sent to the SDN switch;
The SDN switch is also used to obtain the data packet that the proxy server is sent;
The SDN switch is also used to that the data packet is sent to the receiving end according to the destination address, so that described
Receiving end obtains the address of the transmitting terminal from the data packet.
6. a kind of data forwarding device, which is characterized in that run on SDN switch, described device includes:
Packet-receiving module, the data packet for being sent to receiving end for receiving transmitting terminal include source address in the data packet
And destination address, the source address are the address of the transmitting terminal, the destination address is the address of the receiving end;
First forwarding module, for the data packet to be sent to proxy server, so that described in proxy server judgement
Whether data packet is Attacking Packets, when it is Attacking Packets that the proxy server, which judges the data packet not, obtains institute
State the data packet of proxy server transmission;
Second forwarding module, for the data packet to be sent to the receiving end according to the destination address, so that described connect
Receiving end obtains the address of the transmitting terminal from the data packet.
7. device according to claim 6, which is characterized in that described device further includes:
Agent Markup detection module, for judging whether carry Agent Markup in the data packet, when to be, described in execution
Step performed by second forwarding module.
8. device according to claim 6, which is characterized in that described device further includes:
Agent Markup detection module when to be, is controlled for judging whether carry Agent Markup in the data packet to SDN
Device processed sends inquiry message;
Forward rule receiving module, for receiving the forward rule sent from the SDN controller according to the inquiry message,
The data packet for carrying the Agent Markup is sent to the proxy server for the SDN switch by the forward rule;
First forwarding module, specifically for the data packet is sent to proxy server according to the forward rule, with
So that the proxy server is judged whether the data packet is Attacking Packets detection, obtains described in the proxy server judgement
The data packet that data packet is sent when not being Attacking Packets.
9. device according to claim 6, which is characterized in that second forwarding module is specifically used for according to destination
The data packet is sent to the receiving end according to default forward mode by location, so that the receiving end is obtained from the data packet
Take the address of the transmitting terminal.
10. a kind of SDN switch, which is characterized in that including processor and memory, the memory is stored with computer can
Instruction is read, when the computer-readable instruction fetch is executed by the processor, is run as described in claim any one of 1-4
Step in method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810659380.8A CN108833282A (en) | 2018-06-22 | 2018-06-22 | Data forwarding method, system, device and SDN switch |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810659380.8A CN108833282A (en) | 2018-06-22 | 2018-06-22 | Data forwarding method, system, device and SDN switch |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108833282A true CN108833282A (en) | 2018-11-16 |
Family
ID=64138149
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810659380.8A Pending CN108833282A (en) | 2018-06-22 | 2018-06-22 | Data forwarding method, system, device and SDN switch |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108833282A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110099115A (en) * | 2019-04-30 | 2019-08-06 | 湖南麒麟信安科技有限公司 | A kind of load-balancing method and system of transparent scheduling forwarding |
CN113225376A (en) * | 2021-03-29 | 2021-08-06 | 桂林电子科技大学 | Ethernet frame and SDN data frame adapting method based on FPGA |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616129A (en) * | 2008-06-27 | 2009-12-30 | 成都市华为赛门铁克科技有限公司 | The methods, devices and systems of anti-network attack flow overload protection |
US20140328350A1 (en) * | 2013-05-03 | 2014-11-06 | Alcatel-Lucent Usa, Inc. | Low-cost flow matching in software defined networks without tcams |
CN105490945A (en) * | 2014-09-15 | 2016-04-13 | 上海贝尔股份有限公司 | Method and device for controlling data transmission in control plane |
CN106685923A (en) * | 2016-11-25 | 2017-05-17 | 合肥海亚信息科技有限公司 | Linux network firewall-based design system |
CN107135166A (en) * | 2017-04-07 | 2017-09-05 | 上海斐讯数据通信技术有限公司 | A kind of flow management system and method |
-
2018
- 2018-06-22 CN CN201810659380.8A patent/CN108833282A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616129A (en) * | 2008-06-27 | 2009-12-30 | 成都市华为赛门铁克科技有限公司 | The methods, devices and systems of anti-network attack flow overload protection |
US20140328350A1 (en) * | 2013-05-03 | 2014-11-06 | Alcatel-Lucent Usa, Inc. | Low-cost flow matching in software defined networks without tcams |
CN105490945A (en) * | 2014-09-15 | 2016-04-13 | 上海贝尔股份有限公司 | Method and device for controlling data transmission in control plane |
CN106685923A (en) * | 2016-11-25 | 2017-05-17 | 合肥海亚信息科技有限公司 | Linux network firewall-based design system |
CN107135166A (en) * | 2017-04-07 | 2017-09-05 | 上海斐讯数据通信技术有限公司 | A kind of flow management system and method |
Non-Patent Citations (1)
Title |
---|
谭振建: "《SDN技术及应用》", 30 September 2017, 西安电子科技大学出版社 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110099115A (en) * | 2019-04-30 | 2019-08-06 | 湖南麒麟信安科技有限公司 | A kind of load-balancing method and system of transparent scheduling forwarding |
CN110099115B (en) * | 2019-04-30 | 2022-02-22 | 湖南麒麟信安科技股份有限公司 | Load balancing method and system for transparent scheduling forwarding |
CN113225376A (en) * | 2021-03-29 | 2021-08-06 | 桂林电子科技大学 | Ethernet frame and SDN data frame adapting method based on FPGA |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022017249A1 (en) | Programmable switch, traffic statistics method, defense method, and packet processing method | |
CN105745870B (en) | Extend operation from for detecting the serial multistage filter flowed greatly removal nose filter to remove stream to realize | |
CN109787859B (en) | Intelligent speed limiting method and device based on network congestion detection and storage medium | |
CN108702326A (en) | Inspection software defines network(SDN)In control plane cycle mechanism | |
CN108259425A (en) | The determining method, apparatus and server of query-attack | |
CN105474602A (en) | Method, device and equipment of identifying attack flow in software defined network | |
US7701934B2 (en) | System and method for managing devices within a private network via a public network | |
US10623278B2 (en) | Reactive mechanism for in-situ operation, administration, and maintenance traffic | |
CN109240796A (en) | Virtual machine information acquisition methods and device | |
US20160057043A1 (en) | Diagnostic routing system and method for a link access group | |
CN111064668B (en) | Method and device for generating routing table entry and related equipment | |
CN102325079B (en) | Message transmission method and egress router | |
US11108812B1 (en) | Data plane with connection validation circuits | |
CN108833282A (en) | Data forwarding method, system, device and SDN switch | |
CN107690004A (en) | The processing method and processing device of address analysis protocol message | |
CN106878106A (en) | A kind of accessible detecting method and device | |
CN109327558A (en) | Address management method and device | |
US20130305090A1 (en) | Test configuration resource manager | |
CN110855566B (en) | Method and device for dragging upstream flow | |
CN112532468B (en) | Network measurement system, method, device and storage medium | |
CN107634971A (en) | A kind of method and device for detecting flood attack | |
CN115514683B (en) | Packet loss reason determining method, device, exchange chip and storage medium | |
CN108460044A (en) | The treating method and apparatus of data | |
CN110198315A (en) | A kind of method and device of Message processing | |
CN113890858B (en) | PMTU detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181116 |