CN109725925A - Method for detecting the conflict between multiple software defined network SDN applications - Google Patents
Method for detecting the conflict between multiple software defined network SDN applications Download PDFInfo
- Publication number
- CN109725925A CN109725925A CN201811504826.6A CN201811504826A CN109725925A CN 109725925 A CN109725925 A CN 109725925A CN 201811504826 A CN201811504826 A CN 201811504826A CN 109725925 A CN109725925 A CN 109725925A
- Authority
- CN
- China
- Prior art keywords
- openflow message
- output
- openflow
- sdn
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a kind of methods for detecting the conflict between multiple software defined network SDN applications.This method using each input OpenFlow message of the semiology analysis tool to each SDN application in multiple SDN applications to be measured by being handled, and multiple SDN applications are detected based on processing result between any two with the presence or absence of conflict, it detects between multiple SDN applications before disposing multiple SDN applications with the presence or absence of conflict, has a good application prospect in advance so as to realize.
Description
Technical field
The present invention relates to the verification technique fields software defined network (Software Defined Network, SDN), especially
It is related to a kind of method for detecting the conflict between multiple software defined network SDN applications.
Background technique
Software defined network SDN is a kind of new network of Emulex network innovation framework proposed by Emulex, by by the network equipment
Control plane and data surface decouple, to simplify the forwarding of data surface and provide programmability for control plane, to greatly facilitate
The exploitation and deployment of new network function.User can realize various strategies to protect by development deployment SDN application
Demonstrate,prove the availability and safety of network.It is more next with the development of various SDN open source controller (for example, ONOS, Floodlight)
More SDN is applied by development deployment.
The OpenFlow protocol definition message class of controller (Controller) and interchanger (Switch) communication process
Type and format.Controller establishes exit passageway by OpenFlow agreement and interchanger, and SDN is applied through controller to interchanger
The flow table for defining message forward rule is issued or deleted to manage the different aspect of network.In order to realize various nets
Network strategy, many SDN are deployed to together using (for example, firewall (Firewall), load balancing (Load Balancer) etc.)
On one controller.In fact, the SDN application from not Tongfang will make network-based control logic become complicated, thereby increases and it is possible to intentionally
Or the rule with the action fields (action) of identical match domain (match) and conflict are unintentionally installed on same interchanger
Then, conflict is generated so as to cause between multiple SDN application, network failure or network performance is caused to decline.Currently, this problem exists
The field SDN is commonplace, and some SDN controller systems avoid conflicting dependent on the priority between each SDN application.However,
It how to be still intractable ask using the output of each SDN application of priority processing even if each SDN, which is applied, has specific priority
Topic.Therefore, in order to avoid occurring the behavior that user does not expect after disposing multiple SDN applications, multiple SDN are detected in advance and are answered
Conflict between is unique solution.
Before, researchers propose the scheme of the correctness of some verifying SDN applications.For example, 1) with NICE and
Vericon is the verification tool of representative, which verified based on formalization methods such as model inspection or theorem provings
Whether the correctness attribute of network is breached, and still, which is verified only for single SDN application, is not able to verify that
Correctness between multiple SDN applications;2) using VMN and HSA as the verification tool of representative, which is used for verify data face
Flow table whether violate the correctness attribute of network, still, multiple SDN can not be detected in advance before deployment SDN application
Conflict between;3) it is verified using by the new controller of representative of Netcore and Frenetic, which exists
Avoid SDN application that the rule that may cause conflict are installed on switches in compiler using formalization methods such as model inspections
Then, still, this verification method can only support a certain northbound interface language, can not support existing controller (for example, ONOS,
Floodlight etc.) application on compiler.It can be seen that the above method cannot all detect multiple SDN applications in advance
Between conflict.
In order to solve the above-mentioned technical problems, the present invention provides one kind for detecting multiple software defined network SDN applications
Between conflict method, this method can detect in advance without changing controller kernel before disposing multiple SDN application
Conflict between multiple SDN applications.
Summary of the invention
The technical problems to be solved by the present invention are: method in the prior art cannot be before disposing multiple SDN applications
The conflict between multiple SDN applications is detected in advance.
In order to solve the above-mentioned technical problems, the present invention provides one kind for detecting multiple software defined network SDN applications
Between conflict method, comprising:
For each SDN application in multiple SDN applications to be measured, it is performed both by following operation:
Obtain the source code and all input OpenFlow message that the SDN is applied;
According to the attribute information for each event handler that the source code package that the SDN is applied contains, each event handler institute is determined
Input OpenFlow message to be processed, wherein the summation structure of each event handler input OpenFlow message to be dealt with
At all input OpenFlow message;
Following operation is performed both by for each input OpenFlow message:
Using semiology analysis tool corresponding with the language form of the source code, input OpenFlow message is carried out
Processing obtains every in a plurality of executable path corresponding with input OpenFlow message and a plurality of executable path
The corresponding path constraints in path can be performed and export OpenFlow message with every executable path corresponding first
Collection, the first output OpenFlow message set are the set for exporting OpenFlow message corresponding with every executable path;
Path constraints corresponding with every executable path are solved respectively using constraint solver, and are based on
Solving result exports each output OpenFlow message in OpenFlow message set to every executable path corresponding first
It is handled, obtains exporting OpenFlow message set, second output with every executable path corresponding second
OpenFlow message set is after handling each output OpenFlow message in the first output OpenFlow message set
The set of obtained output OpenFlow message;
Each output OpenFlow message in OpenFlow message set is exported to every executable path corresponding second
It is handled, obtains third output OpenFlow message set corresponding with every executable path, the third output
OpenFlow message set is after handling each output OpenFlow message in the second output OpenFlow message set
The set of obtained output OpenFlow message;
Utilize the corresponding third in every corresponding with each input OpenFlow message that each SDN is applied executable path
Each output OpenFlow message in OpenFlow message set is exported, detects multiple SDN applications between any two with the presence or absence of conflict.
In a preferred embodiment, using semiology analysis tool corresponding with the language form of the source code,
Input OpenFlow message is handled, a plurality of executable path corresponding with input OpenFlow message is obtained and is somebody's turn to do
Corresponding path constraints in every in a plurality of executable path executable path and corresponding with every executable path
First output OpenFlow message set, comprising:
Using the corresponding semiology analysis tool of the language form for the source code applied with SDN, each input which is applied
The correlated variables that OpenFlow message includes is appointed as symbolic variable, wherein the correlated variables is to detect multiple SDN applications
Between conflict during the required variable used;
Each event handler contained using the source code package that the semiology analysis tool runs SDN application is obtained and is somebody's turn to do
Every in the corresponding a plurality of executable path of each input OpenFlow message and a plurality of executable path of SDN application can
The corresponding path constraints of execution route and the first output OpenFlow message set corresponding with every executable path.
In a preferred embodiment, this method further include: include by the SDN each input OpenFlow message applied
Irrelevant variable assign occurrence, wherein the irrelevant variable is nothing during detecting the conflict between multiple SDN application
The variable that need to be used.
In a preferred embodiment, this method further include: according to each input OpenFlow message applied with SDN
Concrete meaning of each domain for the flow table for including in software defined network SDN, each input OpenFlow that will be applied with the SDN
The value range for each symbolic variable that message includes limits within a preset range.
In a preferred embodiment, using constraint solver respectively to path corresponding with every executable path
Constraint condition is solved, and is based on solving result, exports OpenFlow message to every executable path corresponding first
Each output OpenFlow message concentrated is handled, and is obtained second output OpenFlow corresponding with every executable path and is disappeared
Breath collection, comprising:
For every executable path corresponding with each input OpenFlow message that each SDN is applied, be performed both by with
Lower operation:
It is solved using constraint solver pair path constraints corresponding with the executable path of this;
In the case where constraint solver returns the result to there is solution, for the first output corresponding with the executable path of this
Each symbolic variable that each output OpenFlow message in OpenFlow message set includes assigns the occurrence for solving and obtaining, and obtains
The second output OpenFlow message set corresponding with the executable path of this;
In the case where constraint solver returns the result as no solution, removes corresponding with the executable path of this first and export
OpenFlow message set obtains the second output OpenFlow message set corresponding with the executable path of this, wherein this is second defeated
OpenFlow message set is empty set out.
In a preferred embodiment, containing weight in the action fields for the flow table that the output OpenFlow message includes
It sets movement or is acted without containing resetting.
In a preferred embodiment, OpenFlow message set is exported to every executable path corresponding second
In each output OpenFlow message handled, obtain third output OpenFlow message corresponding with every executable path
Collection, comprising:
For every executable path corresponding second corresponding with each input OpenFlow message that each SDN is applied
OpenFlow message set is exported, following operation is performed both by:
According to this second output OpenFlow message set in each output OpenFlow message attribute information, to this second
Each output OpenFlow message in output OpenFlow message set is classified;
According to classification results, at each output OpenFlow message in the second output OpenFlow message set
Reason obtains third output OpenFlow message corresponding with executable path belonging to the second output OpenFlow message set
Collection.
In a preferred embodiment, according to classification results, to each defeated in the second output OpenFlow message set
OpenFlow message is handled out, is obtained and executable path corresponding the belonging to the second output OpenFlow message set
Three output OpenFlow message sets, comprising:
In the action fields for the flow table that each output OpenFlow message in the second output OpenFlow message set includes all
In the case where resetting movement, each output OpenFlow message in the second output OpenFlow message set is kept not
Become, then third corresponding with executable path belonging to the second output OpenFlow message set exports OpenFlow message set packet
Each output OpenFlow message that each output OpenFlow message and the second output OpenFlow message set contained includes is kept
Unanimously;
In the action fields for the flow table that each output OpenFlow message in the second output OpenFlow message set includes all
Containing resetting movement in the case where, remove this second output OpenFlow message set in each output OpenFlow message, then with
The corresponding third output OpenFlow message set in executable path is empty set belonging to the second output OpenFlow message set.
In a preferred embodiment, according to classification results, to each defeated in the second output OpenFlow message set
OpenFlow message is handled out, is obtained and executable path corresponding the belonging to the second output OpenFlow message set
Three output OpenFlow message sets, further includes:
The action fields for the flow table that a part output OpenFlow message in the second output OpenFlow message set includes
In acted without containing resetting in the action fields containing resetting movement and another part output OpenFlow message flow table for including
In the case of, using default composition rule, each output OpenFlow message in the second output OpenFlow message set is carried out
Processing obtains third output OpenFlow message corresponding with executable path belonging to the second output OpenFlow message set
Collection.
In a preferred embodiment, using corresponding with each input OpenFlow message that each SDN is applied
Each output OpenFlow message in the corresponding third output OpenFlow message set in every executable path, detects multiple SDN
Using between any two with the presence or absence of conflict, comprising:
Appoint from multiple SDN applications to be measured and take two SDN applications, obtains the first SDN and apply and the 2nd SDN application;
Obtain the corresponding third in corresponding with each input OpenFlow message that the first SDN is applied every executable path
Export each output OpenFlow message in OpenFlow message set and each input OpenFlow with the 2nd SDN application
Each output OpenFlow message in the corresponding third output OpenFlow message set in the corresponding every executable path of message;
Respectively from the corresponding every executable path corresponding of each input OpenFlow message for being applied with the first SDN
Three output OpenFlow message sets in and from each input OpenFlow message applied with the 2nd SDN it is corresponding every can
Each takes an output OpenFlow message in the corresponding third output OpenFlow message set of execution route, obtains the first output
OpenFlow message and the second output OpenFlow message;
According to the attribute information of the first output OpenFlow message and the second output OpenFlow message, default judgement is utilized
Rule judges that the first SDN applies to apply whether there is with the 2nd SDN and conflicts.
Compared with prior art, one or more embodiments in above scheme can have following advantage or beneficial to effect
Fruit:
Using provided in an embodiment of the present invention for detecting the side of the conflict between multiple software defined network SDN applications
Method, by being disappeared using each input OpenFlow of the semiology analysis tool to each SDN application in multiple SDN applications to be measured
Breath is handled, and detects multiple SDN applications between any two with the presence or absence of conflict, so as to realize based on processing result
It detects between multiple SDN applications with the presence or absence of conflict, has a good application prospect in advance before disposing multiple SDN applications.
Other features and advantages of the present invention will be illustrated in the following description, and partly becomes from specification
It is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by wanting in specification, right
Specifically noted structure is sought in book and attached drawing to be achieved and obtained.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention
It applies example and is used together to explain the present invention, be not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the method for detecting the conflict between multiple software defined network SDN applications of the embodiment of the present invention
Idiographic flow schematic diagram;
Fig. 2 is the idiographic flow schematic diagram of step S103 in Fig. 1;
Fig. 3 is the idiographic flow schematic diagram of step S104 in Fig. 1;
Fig. 4 is the idiographic flow schematic diagram of step S105 in Fig. 1;
Fig. 5 is the idiographic flow schematic diagram of step S106 in Fig. 1;
Fig. 6 is the schematic diagram for the scene that multiple SDN applications coexist in application example one of the invention;
Fig. 7 be using semiology analysis tool operation for handle input OpenFlow message be at the event of packect_in
Manage device, and the knot solved respectively to path constraints corresponding with every executable path using constraint solver
The schematic diagram of fruit;
Fig. 8 is the schematic diagram for showing the concrete outcome in Fig. 7;
Fig. 9 is each output of the display to being exported in OpenFlow message set with every executable path corresponding second
The schematic diagram for the process that OpenFlow message is synthesized.
Specific embodiment
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and examples, how to apply to the present invention whereby
Technological means solves technical problem, and the realization process for reaching technical effect can fully understand and implement.It needs to illustrate
As long as not constituting conflict, each feature in each embodiment and each embodiment in the present invention can be combined with each other,
It is within the scope of the present invention to be formed by technical solution.
To solve method in the prior art multiple SDN cannot be detected in advance using it before disposing multiple SDN applications
Between conflict the technical issues of, the embodiment of the invention provides one kind for detecting between multiple software defined network SDN application
Conflict method.
SDN is applied for handling the various OpenFlow message sent by interchanger, due to for SDN is applied,
These OpenFlow message are input, so these OpenFlow message to be known as to the input OpenFlow message of SDN application.
SDN application is event-driven mode, handles input OpenFlow message by each event handler that source code package contains,
And flow table is issued or deleted to interchanger by output OpenFlow message.In general, flow table include matching domain, it is action fields, excellent
The information such as first grade domain, counter, time-out time, attached attribute.Each event handler that the source code package of SDN application contains can be rung
Various network events are answered, for example, message arrival, link, exchange fault etc..
Those of ordinary skill in the art will appreciate that ground is, the input OpenFlow message of SDN application includes the letter such as message
Breath, the output OpenFlow message of SDN application include which interchanger to issue the information such as which flow table to.
Fig. 1 is the method for detecting the conflict between multiple software defined network SDN applications of the embodiment of the present invention
Idiographic flow schematic diagram.
As shown in Figure 1, the side for the conflict of the embodiment of the present invention being used to detect between multiple software defined network SDN applications
Method mainly includes the following steps that S101 to step S106.
For each SDN application in multiple SDN applications to be measured, it is performed both by following operation:
In step s101, the source code and all input OpenFlow message that the SDN is applied are obtained.
In step s 102, the attribute information of each event handler contained according to the source code package that the SDN is applied determines each
Event handler input OpenFlow message to be dealt with, wherein each event handler input OpenFlow to be dealt with
The summation of message constitutes all input OpenFlow message.
For each input OpenFlow message in step S102, it is performed both by following operation:
In step s 103, using semiology analysis tool corresponding with the language form of source code, to the input
OpenFlow message is handled, obtain a plurality of executable path corresponding with input OpenFlow message, with this it is a plurality of can
Corresponding path constraints in every in execution route executable path and corresponding with every executable path first defeated
OpenFlow message set out.The first output OpenFlow message set is output OpenFlow corresponding with every executable path
The set of message is acted containing resetting in the action fields for the flow table that output OpenFlow message includes or dynamic without containing resetting
Make.Its detailed process is as shown in Figure 2.
In step S1031, using the corresponding semiology analysis tool of the language form for the source code applied with SDN, by this
The correlated variables that each input OpenFlow message of SDN application includes is appointed as symbolic variable.Wherein, which is to examine
The required variable used during the conflict between multiple SDN application is surveyed, for example, source IP address, purpose IP address etc..
In step S1032, each event handling that the source code package that the SDN is applied contains is run using semiology analysis tool
Device obtains a plurality of executable path corresponding with each input OpenFlow message that the SDN is applied and a plurality of executable path
In the corresponding path constraints in every executable path and the first output corresponding with every executable path
OpenFlow message set.
In a preferred embodiment, this method further include: include by the SDN each input OpenFlow message applied
Irrelevant variable assign occurrence.Wherein, which is to be not necessarily to during detecting the conflict between multiple SDN applications
The variable used.For example, the input OpenFlow message of a certain tested SDN application is packet_in, input OpenFlow disappears
The message content that breath includes is packet header and payload, if the function of the tested SDN application is unrelated with payload
(i.e. payload is irrelevant variable), then can assign payload to occurrence.So set, can effectively improve semiology analysis effect
Rate.
In a preferred embodiment, this method further include: according to each input OpenFlow message applied with SDN
Concrete meaning of each domain for the flow table for including in software defined network SDN, each input OpenFlow that will be applied with the SDN
The value range for each symbolic variable that message includes limits within a preset range.Wherein, respectively input OpenFlow message includes
There is a minimum value range in each domain of flow table, and the preset range is corresponding with the minimum value range, and this field is common
Technical staff can specifically set the minimum value range according to the actual situation.For example, input OpenFlow message includes
The minimum value range of symbolic variable " eth_type " thresholding is (0-64).
The present invention is passed through at each input OpenFlow message for being applied using semiology analysis tool to each SDN
Reason, not only it is possible to prevente effectively from traversing each SDN application state bring State-explosion problem, but also can guarantee to every
The coverage rate of the source code of a SDN application.
In step S104, using constraint solver respectively to path constraints corresponding with every executable path into
Row solves, and is based on solving result, each defeated in OpenFlow message set to exporting with every executable path corresponding first
OpenFlow message is handled out, obtains the second output OpenFlow message set corresponding with every executable path, this
Two output OpenFlow message sets are at each output OpenFlow message in the first output OpenFlow message set
The set of the output OpenFlow message obtained after reason.Its detailed process is as shown in Figure 3.
For every executable path corresponding with each input OpenFlow message that each SDN is applied, be performed both by with
Lower operation:
In step S1041, carried out using constraint solver pair path constraints corresponding with the executable path of this
It solves.
In the case where constraint solver returns the result to there is solution, execute step S1042: for the executable path pair of this
Each symbolic variable that each output OpenFlow message in the first output OpenFlow message set answered includes, which assigns solving, to be obtained
Occurrence, obtain it is corresponding with the executable path of this second output OpenFlow message set.
For example, solving using constraint solver pair path constraints corresponding with executable path 1, λ is obtained
.src=HostI.If the output OpenFlow message in first output OpenFlow message set corresponding with executable path 1 is
(add,sw1,e8((p.src=λ .src, p.dst=ServerD) → fwd (3))), then include for output OpenFlow message
Symbolic variable (p.src) assign and solve obtained occurrence, obtain output OpenFlow message (add, sw1,e8((p.src=
HostI, p.dst=ServerD) → fwd (3))), which is second output OpenFlow corresponding with executable path 1
Output OpenFlow message in message set.
In the case where constraint solver returns the result as no solution, step S1043 is executed: removal and the executable path of this
Corresponding first output OpenFlow message set obtains the second output OpenFlow message corresponding with the executable path of this
Collection, wherein the second output OpenFlow message set is empty set.
In step s105, each output in OpenFlow message set is exported to every executable path corresponding second
OpenFlow message is handled, and third output OpenFlow message set corresponding with every executable path, the third are obtained
Output OpenFlow message set is to handle each output OpenFlow message in the second output OpenFlow message set
The set of the output OpenFlow message obtained afterwards.Its detailed process is as shown in Figure 4.
For every executable path corresponding second corresponding with each input OpenFlow message that each SDN is applied
OpenFlow message set is exported, following operation is performed both by:
In step S1051, according to the category of each output OpenFlow message in the second output OpenFlow message set
Property information, to this second output OpenFlow message set in each output OpenFlow message classify.Wherein, which believes
Whether breath refers in the action fields for the flow table that each output OpenFlow message includes containing resetting movement.
In step S1052, according to classification results, to each output in the second output OpenFlow message set
OpenFlow message is handled, and third corresponding with executable path belonging to the second output OpenFlow message set is obtained
Export OpenFlow message set.
Specifically, the movement for the flow table that each output OpenFlow message in the second output OpenFlow message set includes
In the case where all acting without containing resetting in domain, each output OpenFlow message in the second output OpenFlow message set is protected
It holds constant.That is, third corresponding with executable path belonging to the second output OpenFlow message set exports
Each output that each output OpenFlow message and the second output OpenFlow message set that OpenFlow message set includes include
OpenFlow message is consistent.
In the action fields for the flow table that each output OpenFlow message in the second output OpenFlow message set includes all
Containing resetting movement in the case where, remove this second output OpenFlow message set in each output OpenFlow message, then with
The corresponding third output OpenFlow message set in executable path is empty set belonging to the second output OpenFlow message set.
The action fields for the flow table that a part output OpenFlow message in the second output OpenFlow message set includes
In acted without containing resetting in the action fields containing resetting movement and another part output OpenFlow message flow table for including
In the case of, using default composition rule, each output OpenFlow message in the second output OpenFlow message set is carried out
Processing obtains third output OpenFlow message corresponding with executable path belonging to the second output OpenFlow message set
Collection.Concrete processing procedure is as follows:
Firstly, exporting each output OpenFlow message in OpenFlow message set for second is divided into two groups, first group: defeated
Act in the action fields for the flow table that OpenFlow message includes out containing resetting, second group: output OpenFlow message includes
It is acted in the action fields of flow table without containing resetting.
Then, appoint from first group and take an output OpenFlow message, be denoted as message 1.Appoint from second group and takes one
OpenFlow message is exported, message 2 is denoted as.
Then, the matching domain and action fields for the flow table for including to message 1 synthesize, and obtain the flow table that message 1 includes
Synthesize matching domain.
If being acted without containing deletion in the action fields for the flow table that the action fields and message 2 of the flow table that message 1 includes include,
And the matching domain of the flow table that includes of message 2 belongs to the synthesis matching domain for the flow table that message 1 includes, and message 1 and message 2 are all pair
The operation of same interchanger, the then matching domain of the flow table that the flow table and message 2 for including to message 1 include, action fields and preferential
Grade domain is synthesized.Detailed process is as follows:
The synthesis matching domain for the flow table that the flow table and message 2 that message 1 includes include: if message 1 (it includes flow table it is dynamic
Make to act in domain containing resetting) scope of the resetting movement of the flow table that includes is destination address domain, the then flow table that message 1 includes
The destination address domain of the synthesis matching domain for the flow table for including with message 2 is: message 1 (it includes flow table action fields in contain
Resetting movement) include flow table destination address domain, the synthesis matching domain for the flow table that the flow table and message 2 that message 1 includes include
Source address field be: message 2 (it includes flow table action fields in act without containing resetting) source address field of the flow table that includes.
If message 1 (it includes flow table action fields in act containing resetting) effect of the resetting movement of the flow table that includes
Domain is source address field, then the destination address domain of the synthesis matching domain for the flow table that the flow table and message 2 that message 1 includes include is: disappearing
Breath 2 (it includes flow table action fields in act without containing resetting) the destination address domain of the flow table that includes, the stream that message 1 includes
The source address field of the synthesis matching domain for the flow table that table and message 2 include is: message 1 (it includes flow table action fields in contain
Resetting movement) include flow table source address field.
The synthesis Priority field for the flow table that the flow table and message 2 that message 1 includes include is: message 1 (it includes flow table
Acted in action fields containing resetting) the priority thresholding of the flow table that includes and message 2 (it includes flow table action fields in be free of
Have resetting movement) lesser one in the priority thresholding of the flow table that includes.
The synthesis action fields for the flow table that the flow table and message 2 that message 1 includes include are: message 2 (it includes flow table it is dynamic
Make to act in domain without containing resetting) the movement thresholding of the flow table that includes.
Based on this, matching domain, action fields, the Yi Jiyou of the flow table that the flow table for including to message 1 and message 2 include is completed
The synthesis in first grade domain obtains message 3, and message 3 is added in second group.Because the flow table that message 3 includes has included
Therefore the forwarding logic for the flow table that message 1 includes removes message 1 from first group.
The above process so is repeated, until the flow table and second that each output OpenFlow message in first group includes
Until the flow table that each output OpenFlow message in group includes all carried out synthesis two-by-two.
It should be noted that if each in the flow table and second group that include to each output OpenFlow message in first group
After the flow table that output OpenFlow message includes all carried out synthesis two-by-two, also there is output OpenFlow message in first group,
Then output OpenFlow message is deleted.
Based on this, third corresponding with executable path belonging to the second output OpenFlow message set exports OpenFlow
It is all acted without containing resetting in the action fields for the flow table that each output OpenFlow message in message set includes.
It should be noted that if in the action fields for the flow table that the action fields and/or message 2 of the flow table that message 1 includes include
It is acted containing deletion, then deletes message 1 and/or message 2.In the case, it is selected from first group and/or second group again
His message.
If being acted without containing deletion in the action fields for the flow table that the action fields and message 2 of the flow table that message 1 includes include,
And the matching domain of the flow table that includes of message 2 is not belonging to the synthesis matching domain for the flow table that message 1 includes, then cannot include to message 1
Flow table and the flow table that includes of message 2 synthesized.In this case it is desirable to select other from first group and second group again
Message.At this point it is possible to message 1 is selected from first group, other message of selection in addition to message 2 from second group;It can also be with
Other message of selection in addition to message 1 from first group, select message 2 from second group.
If being acted without containing deletion in the action fields for the flow table that the action fields and message 2 of the flow table that message 1 includes include,
And the matching domain of the flow table that includes of message 2 belongs to the synthesis matching domain for the flow table that message 1 includes, and message 1 and message 2 are not pair
Same interchanger operation, the then flow table that the flow table and message 2 that cannot include to message 1 include synthesize.In the case,
It needs to select other message from first group and second group again.At this point it is possible to message 1 be selected from first group, from second group
Other message of middle selection in addition to message 2;Other message in addition to message 1 can also be selected from first group, from second
Message 2 is selected in group.
In step s 106, executable using every corresponding with each input OpenFlow message that each SDN is applied
Each output OpenFlow message in the corresponding third output OpenFlow message set of path, detect multiple SDN applications two-by-two it
Between with the presence or absence of conflict.Its detailed process is as shown in Figure 5.
In step S1061, appoint from multiple SDN application to be measured and take two SDN applications, obtain the first SDN apply and
2nd SDN application.
In step S1062, obtaining every corresponding with each input OpenFlow message that the first SDN is applied be can be performed
The corresponding third in path exports each output OpenFlow message in OpenFlow message set and applies with the 2nd SDN every
Each output in the corresponding third output OpenFlow message set in the corresponding every executable path of a input OpenFlow message
OpenFlow message.
In step S1063, respectively from each input OpenFlow message applied with the first SDN corresponding every can hold
Disappear in the corresponding third output OpenFlow message set of walking along the street diameter and from each input OpenFlow applied with the 2nd SDN
Ceasing in the corresponding third output OpenFlow message set in corresponding every executable path each takes an output OpenFlow to disappear
Breath obtains the first output OpenFlow message and the second output OpenFlow message.
In step S1064, believed according to the attribute of the first output OpenFlow message and the second output OpenFlow message
Breath judges that the first SDN applies to apply whether there is with the 2nd SDN and conflicts using default judgment rule.
Specifically, if the information that the first output OpenFlow message and the second output OpenFlow message include all is to same
One interchanger issues flow table, and the first output OpenFlow message flow table for including and the second output OpenFlow message include
Flow table source address field and destination address domain intersect respectively, and action fields are different, then judge that the first SDN is applied and second
SDN, which is applied, has conflict.Otherwise, judge that the first SDN applies to apply to be not present with the 2nd SDN to conflict.
That is, the two SDN application can just produce only below two SDN applications while satisfaction when three conditions
Raw conflict: the information that 1. the output OpenFlow message of two SDN application includes all is to issue flow table to same interchanger;②
The source address field for the flow table that the output OpenFlow message of two SDN application includes and destination address domain are intersected respectively;3. two
The action fields for the flow table that the output OpenFlow message of SDN application includes are different.If it cannot meet above three condition simultaneously
Any one of, then the two SDN application will not generate conflict.
Further, if the Priority field for the flow table that the first output OpenFlow message includes and the second output OpenFlow
The Priority field for the flow table that message includes is different, then the flow table and the second output that the first output OpenFlow message includes
The flow table that OpenFlow message includes can be installed on switches.But the higher output of the Priority field for the flow table for including
The movement that OpenFlow message generates generates the lower output OpenFlow message of Priority field for the flow table that covering includes
Movement, therefore, the movement failure that the lower output OpenFlow message of the Priority field for the flow table for including generates.
For example, it is assumed that the flow table that the first output OpenFlow message includes is flow table 1, the priority thresholding of the flow table 1 is
1, matching domain is λ .src=HostC, λ .dst=HostE, action fields are (3) fwd;Second, which exports OpenFlow message, includes
Flow table is flow table 2, and the priority thresholding of the flow table 2 is 2, and matching domain is λ .src=HostC, λ .dst=HostE, action fields are
drop.Therefore, flow table 1 and flow table 2 can be installed on switches.When the message that some input OpenFlow message includes (should
The source address of message is HostC, destination address is HostE) when reaching the interchanger, the interchanger first check priority thresholding compared with
High flow table, and check whether the source address of the message and destination address meet the matching domain of the flow table.In this example, due to
The priority thresholding of flow table 2 is higher than the priority thresholding of flow table 1, and therefore, which first checks flow table 2, and finds the message
Source address and destination address meet the matching domain of flow table 2, then the movement that the action fields of flow table 2 are included is executed, by the message
It abandons.Since the priority thresholding of flow table 1 is lower than the priority thresholding of flow table 2, which cannot be according to flow table 1
The movement that action fields are included forwards the message.
It should be noted that according to OpenFlow consensus standard, if the flow table that the first output OpenFlow message includes
Priority thresholding is different with the priority thresholding for the flow table that the second output OpenFlow message includes, then the first output OpenFlow
The flow table that the flow table and the second output OpenFlow message that message includes include can be mounted.But its erection sequence depends on the
One output OpenFlow message and the second output OpenFlow message reach the time sequencing of interchanger, the Priority field with flow table
It is worth unrelated.
In the priority thresholding and the second output OpenFlow message package of the flow table that the first output OpenFlow message includes
The priority thresholding of the flow table contained is identical and matching domain and the second output of the first output OpenFlow message flow table for including
In the identical situation of the matching domain for the flow table that OpenFlow message includes, the first output OpenFlow message flow table for including and the
The flow table that two output OpenFlow message include cannot be mounted.
Further, if the priority thresholding and the second output of the flow table that the first output OpenFlow message includes
The priority thresholding for the flow table that OpenFlow message includes is identical, then the output OpenFlow message for reaching interchanger afterwards includes
Flow table cannot be installed on switches.That is, in two SDN applications, the output of the lower SDN application of priority
The flow table that OpenFlow message includes cannot be installed on switches.
For example, it is assumed that the flow table that the first output OpenFlow message includes is flow table 1, the priority thresholding of the flow table 1 is
1, matching domain is λ .src=HostC, λ .dst=HostE, action fields are (3) fwd;Second, which exports OpenFlow message, includes
Flow table is flow table 2, and the priority thresholding of the flow table 2 is 1, and matching domain is λ .src=HostC, λ .dst=HostE, action fields are
drop.If the first output OpenFlow message first reaches interchanger, interchanger is reached after the second output OpenFlow message, then is flowed
Table 1 is mounted on switches, and flow table 2 cannot be installed on switches.
So repeat step S1063 to step S1064, until the first SDN apply comprising each output OpenFlow
Message and the 2nd SDN apply comprising each output OpenFlow message be all removed and judged between any two until.
It should be noted that if certain applied by a certain output OpenFlow message and the 2nd SDN of the first SDN application
One output OpenFlow message may determine that the first SDN applies to apply to exist with the 2nd SDN and conflict, it is also necessary to again from first
SDN is applied and is chosen other output OpenFlow message in the 2nd SDN application, and again using the output OpenFlow message chosen
It is rejudged, until each output OpenFlow of each output OpenFlow message of the first SDN application and the 2nd SDN application
Until message is all removed and judged between any two.
So repeat above-mentioned steps S1061 to step S1064, until in multiple SDN to be measured application two-by-two all by
Until detecting.
For the ease of more fully understanding the present invention, carried out below by application example a pair of technical solution of the present invention detailed
Description.
Application example one
Fig. 6 is the schematic diagram for the scene that multiple SDN applications coexist in this example.In Fig. 6, the first SDN application (fire prevention
Wall) and the 2nd SDN application (dangerous application) simultaneously operate on same controller.First SDN is being exchanged using (firewall)
Machine sw1Upper installation rule Rule 1, external host Host is isolatedCTo internal network server (ServerD) flow, second
SDN application (dangerous application) is in interchanger sw1Upper installation rule Rule2, Rule3 and Rule4.Wherein, regular Rule2 contains
Justice is: reaching interchanger sw1On the input OpenFlow message message that includes, if its source address (src) is host HostC
Address, then interchanger sw1Host Host is reset in the source address (src) for the message for including by input OpenFlow messageE
Address after, continue the message for including by input OpenFlow message and interchanger sw1On other rules matched.Rule
Then Rule3 is meant that: reaching interchanger sw1On the input OpenFlow message message that includes, if its destination address
It (dst) is host HostFAddress, then interchanger sw1In the destination address for the message for including by input OpenFlow message
(dst) network server (Server is reset toD) address after, continue the message for including by input OpenFlow message and friendship
Change planes sw1On other rules matched.Regular Rule4 is meant that: reaching interchanger sw1On input OpenFlow disappear
The message that breath includes, if its source address (src) is host HostEAddress, destination address (dst) be network server
(ServerD) address, then message that input OpenFlow message includes is forwarded by port 3.Therefore, if it is defeated
The source address (src) for entering the message that OpenFlow message includes is host HostCAddress, destination address (dst) be host
HostFAddress, then the message that input OpenFlow message includes reaches net after regular Rule2, Rule3 and Rule4
Network server (ServerD).That is, host HostCOn the input OpenFlow message message that includes finally can all reach
Network server (ServerD), and this conflicts with the regular Rule 1 of the first SDN application (firewall).It is specifically detected
Process is as follows:
(dangerous application) is applied for the first SDN to be measured application (firewall) and the 2nd SDN, is performed both by following behaviour
Make:
Here, for simplicity, it is illustrated by taking the 2nd SDN application (dangerous application) as an example below.
In step s101, the source code and all input OpenFlow message that the SDN is applied are obtained.
In step s 102, the attribute information of each event handler contained according to the source code package that the SDN is applied determines each
Event handler input OpenFlow message to be dealt with, wherein each event handler input OpenFlow to be dealt with
The summation of message constitutes all input OpenFlow message.
Following operation is performed both by for each input OpenFlow message:
In step s 103, using semiology analysis tool corresponding with the language form of source code, to the input
OpenFlow message is handled, obtain a plurality of executable path corresponding with input OpenFlow message, with this it is a plurality of can
Corresponding path constraints in every in execution route executable path and corresponding with every executable path first defeated
OpenFlow message set out, which is output OpenFlow corresponding with every executable path
The set of message.
In step S104, using constraint solver respectively to path constraints corresponding with every executable path into
Row solves, and is based on solving result, each defeated in OpenFlow message set to exporting with every executable path corresponding first
OpenFlow message is handled out, obtains the second output OpenFlow message set corresponding with every executable path, this
Two output OpenFlow message sets are to handle each output OpenFlow message in the first output OpenFlow message set
The set of the output OpenFlow message obtained afterwards.
Fig. 7 be using semiology analysis tool operation for handle input OpenFlow message be at the event of packect_in
Manage device, and the knot solved respectively to path constraints corresponding with every executable path using constraint solver
The schematic diagram of fruit.
Specifically, in step S1031, the language form of the source code with the 2nd SDN application (dangerous application) is utilized
Corresponding semiology analysis tool specifies the input OpenFlow message packect_in that the SDN the is applied correlated variables p for including
For symbolic variable λ, i.e., variable p is indicated with λ.
In step S1032, it is for handling input OpenFlow message using semiology analysis tool operation
The event handler of packect_in obtains a plurality of executable road corresponding with input OpenFlow message packect_in
Diameter, path constraints corresponding with the executable path of every in a plurality of executable path and with every executable road
The corresponding first output OpenFlow message set of diameter.
In this example, as λ .src=HostCIt is false and λ .dst=HostFFor fictitious time, corresponding first executable path
(i.e. the first from left branch in Fig. 7).As λ .src=HostCIt is false and λ .dst=HostFWhen being true, corresponding second executable path
(i.e. the second from left branch in Fig. 7).As λ .src=HostCIt is true and λ .dst=HostFWhen being true, path is can be performed in corresponding third
(i.e. one branch of the right side in Fig. 7).As λ .src=HostCIt is true and λ .dst=HostFFor fictitious time, corresponding 4th executable path
(i.e. two branch of the right side in Fig. 7).Wherein, the first executable path to the 4th executable path is and input OpenFlow message
The corresponding a plurality of executable path packect_in, path constraints corresponding with the first executable path are: λ .src=
HostCIt is false and λ .dst=HostFBe it is false, path constraints corresponding with the second executable path are: λ .src=HostC
It is false and λ .dst=HostFBe it is true, the corresponding path constraints in path, which can be performed, with third is: λ .src=HostCBe it is true and
λ .dst=HostFBe it is true, path constraints corresponding with the 4th executable path are: λ .src=HostCIt is true and λ .dst
=HostFIt is false.
Exporting OpenFlow message set with the first executable path corresponding second is empty set, is not shown in Fig. 8.With second
Executable path corresponding second exports OpenFlow message set as shown in the third line in Fig. 8, and path pair can be performed with third
The the second output OpenFlow message set answered is exported as shown in the fourth line in Fig. 8 with the 4th executable path corresponding second
OpenFlow message set is as shown in the second row in Fig. 8.
It should be noted that the source code of the 2nd SDN application may have thousands of rows, it include switch_on, link_up etc.
Sequence of events processor, here only using for handle input OpenFlow message for packect_in event handler as
Example is illustrated.
The content shown in box below Fig. 7 is the pseudocode of above-mentioned treatment process, indicates following meanings:
If the source address (src) for the message that input OpenFlow message packect_in includes is host HostCAddress,
Then the 2nd SDN application (dangerous application) is by input OpenFlow message packect_in to interchanger sw1Issue flow table e4
((p.src=HostC, p.dst=*) and → Set (p.src=HostE),output(table)).The meaning of the flow table are as follows: reach
Interchanger sw1On the input OpenFlow message message that includes, if its source address (src) is host HostCAddress, then
Interchanger sw1Host Host is reset in the source address (src) for the message for including by input OpenFlow messageEAddress after,
Continue the message for including by input OpenFlow message and interchanger sw1On other rules matched.
If the destination address (dst) for the message that input OpenFlow message packect_in includes is host HostFGround
Location, then the 2nd SDN application (dangerous application) is by input OpenFlow message packect_in to interchanger sw1Issue flow table
e5((p.src=*, p.dst=HostF) → Set (p.dst=ServerD),output(table)).The meaning of the flow table are as follows:
Reach interchanger sw1On the input OpenFlow message message that includes, if its destination address (dst) is host HostFGround
Location, then interchanger sw1Network server is reset in the destination address (dst) for the message for including by input OpenFlow message
(ServerD) address after, continue the message for including by input OpenFlow message and interchanger sw1On other rule into
Row matching.
If the source address (src) for the message that input OpenFlow message packect_in includes is host HostEAddress,
Destination address (dst) is network server (ServerD) address, then the 2nd SDN passes through input using (dangerous application)
OpenFlow message packect_in is to interchanger sw1Issue flow table e6((p.src=HostE, p.dst=ServerD)→fwd
(3)).The meaning of the flow table are as follows: reach interchanger sw1On the input OpenFlow message message that includes, if its source address
It (src) is host HostEAddress, destination address (dst) be network server (ServerD) address, then by the input
The message that OpenFlow message includes is forwarded by port 3.
In step s105, each output in OpenFlow message set is exported to every executable path corresponding second
OpenFlow message is handled, and third output OpenFlow message set corresponding with every executable path, the third are obtained
Output OpenFlow message set is after handling each output OpenFlow message in the second output OpenFlow message set
The set of obtained output OpenFlow message.
It can for every corresponding with the 2nd SDN application input OpenFlow message packect_in of (dangerous application)
The corresponding second output OpenFlow message set of execution route, is performed both by following operation:
Here, for simplicity, below with Article 3 can be performed path it is corresponding second output OpenFlow message set be
Example is illustrated.
As seen from Figure 8, path corresponding second can be performed with Article 3 to export in OpenFlow message set, output
OpenFlow message (With) include flow table action fields in containing resetting act, export OpenFlow messagePacket
It is acted in the action fields of the flow table contained without containing resetting, therefore, it is necessary to utilize default composition rule, to second output
In OpenFlow message set output OpenFlow message (With) handled.Concrete processing procedure such as Fig. 9 institute
Show.
Firstly, by second export OpenFlow message set in output OpenFlow message (With) it is divided into two
Group.First groupThe output OpenFlow message for including isWithThe flow table that the two output OpenFlow message include
It is acted in action fields containing resetting.Second groupThe output OpenFlow message for including isOutput OpenFlow message package
It is acted in the action fields of the flow table contained without containing resetting.
Then, from first groupWith second groupIn each take an output OpenFlow message, and by taking-up this two
A output OpenFlow message is combined.In this example, two combinations can be formed: combination 1 are as follows:WithCombination 2
Are as follows:With
Then, rightThe matching domain and action fields for the flow table for including are synthesized, and are obtainedThe synthesis for the flow table for including
With domain (λ .src=HostE, λ .dst=*).It is rightThe matching domain and action fields for the flow table for including are synthesized, and are obtainedPacket
Synthesis matching domain (λ .src=*, the λ .dst=Server of the flow table containedD)。
For combination 1, due toThe action fields for the flow table for including andIt does not contain and deletes in the action fields for the flow table for including
Except (del) is acted, andThe matching domain for the flow table for including belongs toThe synthesis matching domain for the flow table for including, andWithAll it is
To interchanger sw1Operation, then it is rightThe flow table that includes andMatching domain, action fields and the Priority field for the flow table for including into
Row synthesis.Detailed process is as follows:
The flow table that includes andThe synthesis matching domain for the flow table for including: due toWhat the resetting for the flow table for including acted
Scope is source address field (src), thenThe flow table that includes andThe destination address domain of the synthesis matching domain for the flow table for including
It is:Destination address domain,The flow table that includes andThe source address field of the synthesis matching domain for the flow table for including is:Source
Address field.Therefore,The flow table that includes andThe synthesis matching domain for the flow table for including is (λ .src=HostC, λ .dst=
ServerD)。
The flow table that includes andThe synthesis Priority field for the flow table for including is:The priority thresholding for the flow table for including
WithLesser one in the priority thresholding for the flow table for including.Due to not shown in Fig. 8The flow table that includes andInclude
The priority thresholding of flow table, no explanation is provided here.
The flow table that includes andThe synthesis action fields for the flow table for including are:The movement thresholding for the flow table for including, i.e.,
For fwd (3).
Based on this, it is completed pairThe flow table that includes andMatching domain, action fields and the priority for the flow table for including
The synthesis in domain, obtains(add,sw1, e ((λ .src=HostC, λ .dst=ServerD) → fwd (3))), and willAddition
To second groupIn.BecauseThe flow table for including includedThe forwarding logic for the flow table for including therefore willFrom
One groupMiddle removal.
For combination 2, due toThe action fields for the flow table for including andIt does not contain and deletes in the action fields for the flow table for including
Except (del) is acted, andThe matching domain for the flow table for including belongs toThe synthesis matching domain for the flow table for including, andWithAll it is
To interchanger sw1Operation, then it is rightThe flow table that includes andMatching domain, action fields and the Priority field for the flow table for including into
Row synthesis.Detailed process is as follows:
The flow table that includes andThe synthesis matching domain for the flow table for including: due toWhat the resetting for the flow table for including acted
Scope is destination address domain (dst), thenThe flow table that includes andThe destination address domain of the synthesis matching domain for the flow table for including
It is:The destination address domain for the flow table for including,The flow table that includes andThe source address of the synthesis matching domain for the flow table for including
Domain is:The source address field for the flow table for including.Therefore,The flow table that includes andThe synthesis matching domain for the flow table for including is
(λ .src=HostE, λ .dst=HostF)。
The flow table that includes andThe synthesis Priority field for the flow table for including is:The priority thresholding for the flow table for including
WithLesser one in the priority thresholding for the flow table for including.Due to not shown in Fig. 8The flow table that includes andInclude
Flow table priority thresholding, no explanation is provided here.
The flow table that includes andThe synthesis action fields for the flow table for including are:The movement thresholding for the flow table for including, i.e.,
For fwd (3).
Based on this, it is completed pairThe flow table that includes andMatching domain, action fields and the priority for the flow table for including
The synthesis in domain, obtains(add,sw1, e ((λ .src=HostE, λ .dst=HostF) → fwd (3))), and willIt is added to
Second groupIn.BecauseThe flow table for including includedThe forwarding logic for the flow table for including therefore willFrom first
GroupMiddle removal.
Based on this, the output OpenFlow in the corresponding third output OpenFlow message set of path can be performed with third and disappear
Breath are as follows:WithIt is acted without containing resetting in the action fields for the flow table that these output OpenFlow message include.
Above-mentioned steps so are repeated, until completing to export OpenFlow to the second executable path corresponding second
The synthesis of each output OpenFlow message in message set and to the second output corresponding with the 4th executable path
Until the synthesis of each output OpenFlow message in OpenFlow message set.
Similarly, available every corresponding with each input OpenFlow message of the first SDN application (firewall)
Each output OpenFlow message in the corresponding third output OpenFlow message set in path can be performed, as shown in Figure 8.
In step s 106, executable using every corresponding with each input OpenFlow message that each SDN is applied
Each output OpenFlow message in the corresponding third output OpenFlow message set of path, detect multiple SDN applications two-by-two it
Between with the presence or absence of conflict.
In this example, due to the input OpenFlow message packect_in with the 2nd SDN application (dangerous application)
Corresponding Article 3 can be performed to be contained in the corresponding third output OpenFlow message set in path(add,sw1,e((λ.src
=HostC, λ .dst=ServerD) → fwd (3))), some input OpenFlow message with the first SDN application (firewall)
Contain in the corresponding third output OpenFlow message set in corresponding certain executable path(add,sw1,e3((λ .src=
HostC, λ .dst=ServerD) → drop)), andWithIt is all to interchanger sw1Operation, andWithSource address
Domain and destination address domain are intersected respectively, and action fields are different, then judge that the first SDN application (firewall) and the 2nd SDN are applied
(dangerous application) has conflict, impacted: the source address for including in input OpenFlow message is HostC, destination
Location is ServerDMessage.
Using provided in an embodiment of the present invention for detecting the side of the conflict between multiple software defined network SDN applications
Method, by being disappeared using each input OpenFlow of the semiology analysis tool to each SDN application in multiple SDN applications to be measured
Breath is handled, and detects multiple SDN applications between any two with the presence or absence of conflict, so as to realize based on processing result
It detects between multiple SDN applications with the presence or absence of conflict, has a good application prospect in advance before disposing multiple SDN applications.
Those skilled in the art should be understood that each module of the above invention or each step can use general calculating
Device realizes that they can be concentrated on a single computing device, or be distributed in network constituted by multiple computing devices
On, optionally, they can be realized with the program code that computing device can perform, it is thus possible to be stored in storage
It is performed by computing device in device, perhaps they are fabricated to each integrated circuit modules or will be more in them
A module or step are fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific hardware and
Software combines.
While it is disclosed that embodiment content as above but described only to facilitate understanding the present invention and adopting
Embodiment is not intended to limit the invention.Any those skilled in the art to which this invention pertains are not departing from this
Under the premise of the disclosed spirit and scope of invention, any modification and change can be made in the implementing form and in details,
But protection scope of the present invention still should be subject to the scope of the claims as defined in the appended claims.
Claims (10)
1. a kind of method for detecting the conflict between multiple software defined network SDN applications characterized by comprising
For each SDN application in multiple SDN applications to be measured, it is performed both by following operation:
Obtain the source code and all input OpenFlow message that the SDN is applied;
According to the attribute information for each event handler that the source code package that the SDN is applied contains, determine at each event handler
The input OpenFlow message of reason, wherein the summation of each event handler input OpenFlow message to be dealt with constitutes institute
There is input OpenFlow message;
Following operation is performed both by for each input OpenFlow message:
Using semiology analysis tool corresponding with the language form of the source code, at input OpenFlow message
Reason, every obtained in a plurality of executable path corresponding with input OpenFlow message and a plurality of executable path can
The corresponding path constraints of execution route and the first output OpenFlow message set corresponding with every executable path,
The first output OpenFlow message set is the set for exporting OpenFlow message corresponding with every executable path;
Path constraints corresponding with every executable path are solved respectively using constraint solver, and based on solving
As a result, being carried out to each output OpenFlow message in OpenFlow message set is exported with every executable path corresponding first
Processing obtains exporting OpenFlow message set with every executable path corresponding second, and the second output OpenFlow disappears
The output that breath collection obtains after handling for each output OpenFlow message exported in OpenFlow message set to described first
The set of OpenFlow message;
It is carried out to each output OpenFlow message in OpenFlow message set is exported with every executable path corresponding second
Processing, obtains third output OpenFlow message set corresponding with every executable path, and the third output OpenFlow disappears
The output that breath collection obtains after handling for each output OpenFlow message exported in OpenFlow message set to described second
The set of OpenFlow message;
It is exported using the corresponding third in every corresponding with each input OpenFlow message that each SDN is applied executable path
Each output OpenFlow message in OpenFlow message set detects multiple SDN applications between any two with the presence or absence of conflict.
2. the method according to claim 1 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, using semiology analysis tool corresponding with the language form of the source code, at input OpenFlow message
Reason, every obtained in a plurality of executable path corresponding with input OpenFlow message and a plurality of executable path can
The corresponding path constraints of execution route and the first output OpenFlow message set corresponding with every executable path,
Include:
Using the corresponding semiology analysis tool of the language form for the source code applied with SDN, each input which is applied
The correlated variables that OpenFlow message includes is appointed as symbolic variable, wherein the correlated variables is to detect multiple SDN applications
Between conflict during the required variable used;
Each event handler contained using the source code package that the semiology analysis tool runs SDN application, obtains answering with the SDN
Every executable road in each corresponding a plurality of executable path of input OpenFlow message and a plurality of executable path
The corresponding path constraints of diameter and the first output OpenFlow message set corresponding with every executable path.
3. the method according to claim 2 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, further includes:
Assign the irrelevant variable that the SDN each input OpenFlow message applied includes to occurrence, wherein the irrelevant variable is
During detecting the conflict between multiple SDN application without using variable.
4. the method according to claim 2 or 3 for detecting the conflict between multiple software defined network SDN applications,
It is characterized by further comprising:
According to each domain for the flow table for including with each input OpenFlow message that SDN is applied in software defined network SDN
The value range for each symbolic variable for including with each input OpenFlow message that the SDN is applied is limited to pre- by concrete meaning
If in range.
5. the method according to claim 1 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, is solved respectively to path constraints corresponding with every executable path using constraint solver, and be based on
Solving result exports each output OpenFlow message in OpenFlow message set to every executable path corresponding first
It is handled, obtains exporting OpenFlow message set with every executable path corresponding second, comprising:
For every executable path corresponding with each input OpenFlow message that each SDN is applied, it is performed both by following behaviour
Make:
It is solved using constraint solver pair path constraints corresponding with the executable path of this;
In the case where constraint solver returns the result to there is solution, for the first output corresponding with the executable path of this
Each symbolic variable that each output OpenFlow message in OpenFlow message set includes assigns the occurrence for solving and obtaining, and obtains
The second output OpenFlow message set corresponding with the executable path of this;
In the case where constraint solver returns the result as no solution, removes corresponding with the executable path of this first and export
OpenFlow message set obtains the second output OpenFlow message set corresponding with the executable path of this, wherein this is second defeated
OpenFlow message set is empty set out.
6. the method according to claim 1 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, acts in the action fields for the flow table that the output OpenFlow message includes containing resetting or dynamic without containing resetting
Make.
7. the method according to claim 6 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, to each output OpenFlow message in the second output OpenFlow message set corresponding with every executable path into
Row processing obtains third output OpenFlow message set corresponding with every executable path, comprising:
It is exported for every corresponding with each input OpenFlow message that each SDN is applied executable path corresponding second
OpenFlow message set is performed both by following operation:
According to the attribute information of each output OpenFlow message in the second output OpenFlow message set, to second output
Each output OpenFlow message in OpenFlow message set is classified;
According to classification results, each output OpenFlow message in the second output OpenFlow message set is handled, is obtained
OpenFlow message set is exported to third corresponding with executable path belonging to the second output OpenFlow message set.
8. the method according to claim 7 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, according to classification results, handles each output OpenFlow message in the second output OpenFlow message set, obtains
OpenFlow message set, packet are exported to third corresponding with executable path belonging to the second output OpenFlow message set
It includes:
It is all free of in the action fields for the flow table that each output OpenFlow message in the second output OpenFlow message set includes
In the case where having resetting movement, each output OpenFlow message in the second output OpenFlow message set is remained unchanged, then
Third corresponding with executable path belonging to the second output OpenFlow message set exports OpenFlow message set and includes
Each output OpenFlow message that each output OpenFlow message includes with the second output OpenFlow message set is consistent;
All contain in the action fields for the flow table that each output OpenFlow message in the second output OpenFlow message set includes
In the case that resetting acts, remove each output OpenFlow message in the second output OpenFlow message set, then with this
The corresponding third output OpenFlow message set in executable path belonging to two output OpenFlow message sets is empty set.
9. the method according to claim 8 for detecting the conflict between multiple software defined network SDN applications, special
Sign is, according to classification results, handles each output OpenFlow message in the second output OpenFlow message set, obtains
OpenFlow message set is exported to third corresponding with executable path belonging to the second output OpenFlow message set, is also wrapped
It includes:
Contain in the action fields for the flow table that a part output OpenFlow message in the second output OpenFlow message set includes
There is in the action fields for the flow table that resetting acts and another part output OpenFlow message includes the case where without containing resetting movement
Under, using default composition rule, each output OpenFlow message in the second output OpenFlow message set is handled,
Obtain third output OpenFlow message set corresponding with executable path belonging to the second output OpenFlow message set.
10. the method according to claim 1 for detecting the conflict between multiple software defined network SDN applications,
It is characterized in that, utilizes every executable path corresponding with each input OpenFlow message that each SDN is applied corresponding
Each output OpenFlow message in three output OpenFlow message sets detects multiple SDN applications between any two with the presence or absence of punching
It is prominent, comprising:
Appoint from multiple SDN applications to be measured and take two SDN applications, obtains the first SDN and apply and the 2nd SDN application;
The corresponding third in corresponding with each input OpenFlow message that the first SDN is applied every executable path is obtained to export
Each output OpenFlow message in OpenFlow message set and each input OpenFlow message with the 2nd SDN application
Each output OpenFlow message in the corresponding third output OpenFlow message set in corresponding every executable path;
From the corresponding every executable path of each input OpenFlow message applied with the first SDN, corresponding third is defeated respectively
It can be performed in OpenFlow message set and from each input OpenFlow message applied with the 2nd SDN corresponding every out
Each takes an output OpenFlow message in the corresponding third output OpenFlow message set in path, obtains the first output
OpenFlow message and the second output OpenFlow message;
According to the attribute information of the first output OpenFlow message and the second output OpenFlow message, advised using default judgement
Then, judge that the first SDN applies to apply whether there is with the 2nd SDN to conflict.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811504826.6A CN109725925B (en) | 2018-12-10 | 2018-12-10 | Method for detecting conflicts between multiple Software Defined Network (SDN) applications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811504826.6A CN109725925B (en) | 2018-12-10 | 2018-12-10 | Method for detecting conflicts between multiple Software Defined Network (SDN) applications |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109725925A true CN109725925A (en) | 2019-05-07 |
CN109725925B CN109725925B (en) | 2020-09-18 |
Family
ID=66294948
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811504826.6A Active CN109725925B (en) | 2018-12-10 | 2018-12-10 | Method for detecting conflicts between multiple Software Defined Network (SDN) applications |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109725925B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104283738A (en) * | 2014-10-11 | 2015-01-14 | 杭州华三通信技术有限公司 | Link detecting method and device |
CN107809381A (en) * | 2017-10-19 | 2018-03-16 | 北京邮电大学 | One kind, which is realized, is based on route loop active auditing algorithm and implementation method in SDN |
CN108156046A (en) * | 2016-12-06 | 2018-06-12 | 中国移动通信有限公司研究院 | Distributed route detecting method and device |
US20180270155A1 (en) * | 2013-04-05 | 2018-09-20 | Futurewei Technologies, Inc. | Software defined networking (sdn) controller orchestration and network virtualization for data center interconnection |
-
2018
- 2018-12-10 CN CN201811504826.6A patent/CN109725925B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180270155A1 (en) * | 2013-04-05 | 2018-09-20 | Futurewei Technologies, Inc. | Software defined networking (sdn) controller orchestration and network virtualization for data center interconnection |
CN104283738A (en) * | 2014-10-11 | 2015-01-14 | 杭州华三通信技术有限公司 | Link detecting method and device |
CN108156046A (en) * | 2016-12-06 | 2018-06-12 | 中国移动通信有限公司研究院 | Distributed route detecting method and device |
CN107809381A (en) * | 2017-10-19 | 2018-03-16 | 北京邮电大学 | One kind, which is realized, is based on route loop active auditing algorithm and implementation method in SDN |
Non-Patent Citations (5)
Title |
---|
席孝强: "软件定义网络OpenFlow流表优化技术研究", 《中国优秀硕士学位论文全文库 信息科技辑》 * |
张朝昆等: "软件定义网络(SDN)研究进展 ", 《软件学报》 * |
徐琪等: "多Agent企业供需网协调管理机制研究 ", 《上海理工大学学报》 * |
王文涛等: "基于SDN的数据中心网络流量调度机制的设计与实现 ", 《中南民族大学学报(自然科学版)》 * |
王磊: "动态符号执行中路径搜索策略的研究与实现", 《中国优秀硕士学位论文全文库 信息科技辑》 * |
Also Published As
Publication number | Publication date |
---|---|
CN109725925B (en) | 2020-09-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105765906B (en) | Method, system and computer-readable medium for network function virtualization information concentrator | |
CN110521169A (en) | Strategy for service chaining guarantees | |
JP5035337B2 (en) | VLAN communication inspection system, method, and program | |
CN109644141A (en) | Method and system for visual network | |
CN107370756A (en) | A kind of sweet net means of defence and system | |
CN108040055A (en) | A kind of fire wall combined strategy and safety of cloud service protection | |
CN109981355A (en) | Security defend method and system, computer readable storage medium for cloud environment | |
CN106357470B (en) | One kind threatening method for quickly sensing based on SDN controller network | |
CN107453884A (en) | The service quality detection method and device of a kind of network equipment | |
CN105763606B (en) | A kind of method and system of service chaining agent polymerization | |
CN103067218B (en) | A kind of express network packet content analytical equipment | |
CN108011894A (en) | Botnet detecting system and method under a kind of software defined network | |
CN103875214A (en) | Intelligent phy with security detection for ethernet networks | |
CN114827002B (en) | Multi-domain network security path calculation method, system, device, medium and terminal | |
CN109495309A (en) | The intelligent detecting method and device of cloud platform virtual network state | |
CN107181780A (en) | Communication port processing method and system | |
CN112805984B (en) | System for deploying incremental network updates | |
CN104639386B (en) | fault location system and method | |
CN101242409B (en) | An efficient filtering method for multi-language network data packets | |
Chowdhary et al. | Sdn based network function parallelism in cloud | |
Wang et al. | Efficient network security policy enforcement with policy space analysis | |
CN102281103A (en) | Optical network multi-fault recovering method based on fuzzy set calculation | |
CN107995026B (en) | Management and control method, management node, managed node and system based on middleware | |
CN109725925A (en) | Method for detecting the conflict between multiple software defined network SDN applications | |
CN107332793A (en) | A kind of message forwarding method, relevant device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |