CN112437065B

CN112437065B - Strategy conflict detection and solution method based on graphic representation under SDN environment

Info

Publication number: CN112437065B
Application number: CN202011259536.7A
Authority: CN
Inventors: 房忠万; 仲红; 杨明; 崔杰; 许艳; 田苗苗; 孙秀文
Original assignee: Anhui University
Current assignee: Anhui University
Priority date: 2020-11-12
Filing date: 2020-11-12
Publication date: 2022-06-21
Anticipated expiration: 2040-11-12
Also published as: CN112437065A

Abstract

The invention discloses a strategy conflict detection and solution method based on graphic representation in an SDN environment, which comprises the steps of using an expanded multi-bit prefix tree memory flow rule to generate a corresponding equivalence class EC and a configuration diagram, developing a network strategy into a strategy diagram form, firstly applying strategy change generated by each network update to a network model, and calculating the influenced EC from the network model; checking, by a violation detection module, whether a policy violation has occurred for each affected EC in the network model; if any violation occurs, compressing the configuration diagram and the physical topological diagram and transmitting the configuration diagram and the physical topological diagram to a violation solving module; the optimizer returns a group of edges of the EC configuration diagram to be added or deleted, applies the edges to the network model and converts the edges into a specific OpenFlow rule; and utilizing a heuristic algorithm to realize the optimal deployment of the rules on the forwarding equipment. The invention rejects illegal flow rules with less expenditure, solves the problem of violation of all strategies and avoids rule conflicts of a large number of endpoint strategies.

Description

Strategy conflict detection and solution method based on graphic representation under SDN environment

Technical Field

The invention relates to a network security technology, in particular to a strategy conflict detection and solution method based on graphic representation in an SDN environment.

Background

Software Defined Networking (SDN) is a new type of network architecture that facilitates better network management and simplifies deployment of new network functions by separating the control modules from the forwarding devices. The network control logic is composed of a bloated routing protocol running on physical equipment, the bloated routing protocol cooperates with network topology information and equipment configuration information in a traditional network, the network control logic is realized by an SDN controller, and the logic is controlled in an SDN in a centralized mode. OpenFlow is one of the most well-known southbound interface protocols that entitle the controller to rely on the forwarding path of packets in the switch. The availability, security and QoS of the network determine the exact enforcement of network policies that network operators implement by writing SDN applications.

Various networks, whether DCNs, WANs, or campus lans, are subject to high level policy control to know which network resources can be accessed to provide secure and reliable network services. A network administrator converts network level policies into atomic flow rules by operating an SDN controller and deploys them onto hardware or software devices. This conversion is essentially manually driven, typically internalized over time by expert network administrators. In a large-scale network community, a plurality of network users such as a server administrator, a network engineer, a DNS administrator and a general user coexist, and these users apply policies designed by themselves to network parts owned or managed by them. These enterprise network users and administrators must manually check that more and more policy groups are installed at the same location without conflicting and meeting the respective intended high-level policies, which can take days or even weeks to plan and implement to ensure effectiveness and consistency.

The prior art also typically checks for errors and corresponding consequences only during policy enforcement, however these consequences can fade away (e.g., costly data leaks, segmentation violations, and penetrations). Therefore, detecting and eliminating these errors is critical to ensuring network security, but is a very challenging task. In the prior art, the network configuration is easy to make mistakes by manual configuration and maintenance, and the speed is low. Given the complexity and speed of propagation of new attack media, manually updating and testing the new configuration will leave the network vulnerable until the attack media is fully protected. Even more, the situation gets worse as the network infrastructure moves towards more automation, where the number of entities independently and dynamically generating policies will increase by several times. For example, SDN applications in campus networks, tenants of virtualized cloud environments, and Network Function Virtualization (NFV) are all. While SDN supports new functionality, application designers may not be aware of the policies and security requirements in existing networks in which these applications are deployed. Worse still, SDN applications programmed in high-level languages (e.g., Java or Python) can be very complex.

In view of the above, it is highly desirable to automatically detect and resolve both slight and endpoint policy conflicts prior to deployment of policies to the data plane.

Disclosure of Invention

The purpose of the invention is as follows: the invention aims to solve the defects in the prior art and provides a strategy conflict detection and solution method based on graphic representation in an SDN environment, and the method can not only solve the strategy conflict, but also greatly reduce the number of rules in a switch, thereby avoiding rule explosion; meanwhile, the strategy specification and the bottom-layer physical equipment can be separated to form high-level strategy abstraction, and finally, the burden of application program developers for making and realizing strategies is greatly reduced.

The technical scheme is as follows: the invention discloses a strategy conflict detection and solution method based on graphic representation in an SDN environment, which sequentially comprises the following steps of:

s1, constructing a network model: constructing a multi-bit prefix tree TRIE and expanding the multi-bit prefix tree TRIE, carrying out equivalent EC grouping according to the whole path from a tree root node to a leaf node in the expanded multi-bit prefix tree TRIE, then extracting a corresponding configuration diagram from each EC grouping, and further constructing a strategy diagram to form a network model;

s2, collision detection: using a conflict detection module to check whether each affected EC in the network model has a policy violation;

s3, conflict resolution: compressing the configuration diagram and the physical topological diagram and transmitting the configuration diagram and the physical topological diagram to the violation solving module; the optimizer returns a group of edges of the EC configuration diagram to be added or deleted, and applies the edges to the network model so as to convert the edges into corresponding OpenFlow rules;

s4, layout optimization strategy: and utilizing a heuristic algorithm to realize the optimal deployment of the rules on the forwarding equipment.

Further, the specific content of step S1 is:

step S1.1, constructing a multi-bit prefix tree TRIE, wherein each sub-node in the multi-bit prefix tree TRIE corresponds to a corresponding bit value, the bit values comprise 0, 1 and a wildcard character, and each layer node in the multi-bit prefix tree TRIE represents the same bit position in a packet header; the node combination of each dimensionality in the multi-bit prefix tree TRIE represents the information of the packet header field;

step S1.2, expanding the multi-bit prefix tree TRIE in step 1.1, that is, adding a field pointer indicating the start position of each header field in the multi-bit prefix tree TRIE, so as to search policy conflicts or policy conflicts in the fields quickly, linking all related leaf nodes through leaf pointers, and corresponding the entire path from the root node of the tree to the leaf nodes to all matching fields of the flow table entry;

step S1.3, according to the flow rules in the whole path, dividing the packets which undergo the same flow rule action into an equivalent class EC, wherein each equivalent class EC is defined by a series of bits with specific values, and the packets belonging to the same EC are matched by the same flow rules;

s1.4, storing the generated ECs in leaf nodes, and if an updating rule exists, updating the ECs regularly; then quickly searching out the cloud server of the affected violation policy; extracting a configuration map of packet forwarding behaviors defined in the EC from each EC; finally, adding or deleting a given EC fix entails browsing the map links, looking for link additions requires examining the topology map of the edge definitions in the physical topology.

Further, the method for fast searching in step S1.4 includes:

using the TRIE data structure to store all forwarding rules present in all devices in the network enables a quick lookup of existing rules that overlap with the newly inserted rules, treating each rule as a binary string, and representing the TRIE using a single bit, each level in the TRIE representing one bit in a particular rule. For example, for traditional destination prefix based routing, there are 32 levels in TRIE. Each node in the TRIE has three branches: if the corresponding rule bit is 0, the first branch is taken, if the rule bit is 1, the second branch is taken, if the bit is not concerned, the third branch (wildcard) is taken; the leaves in a TRIE store the actual rules, represented by the path of the particular leaf starting from the TRIE root, and once such TRIE is constructed, searching for overlapping rules becomes very simple and fast. Given a new rule, starting from the first bit of the rule and traversing the TRIE starting from its root, checking each bit and taking the branch pointed to by the bit value, for a bit, it is necessary to explore all the branches of the current node, since a bit can take any value, for 0 or 1 bit, explore the 0 or 1 branch and the branch; once the leaves of all paths being explored are reached, a list of rules is obtained that overlap with the new rules, and these rules are used to construct equivalence classes and configuration graphs for use in detecting network policy conflicts.

The network is divided into a group of equivalent packet Classes, that is, packets belonging to the same class of operation are forwarded in the whole network, which are called equivalent Classes, and are called equal Classes, and are abbreviated as ECs. Each change to the network typically affects only a very few equivalence classes. Thus, a set of equivalence classes is found in which operations can be changed by rules, and network policy conflicts are detected only in these classes.

The extended TRIE in the present invention adds a new leaf pointer to effectively associate the new EC (generated by the new rule) with the existing EC, and also adds a field-first address pointer, openflow1.0 with twelve fields.

Further, the specific content of step S2 is:

s2.1, defining a policy graph on the packet header schema based on the policy graph constructed in step S1, where each node on the policy graph is a physical or software-based device, and may express qualitative and quantitative reachability constraints, and for simplicity, the packet header schema is not described, and edges in the policy graph are identified by labels representing different types of reachability constraints, that is, m represents the number of paths from node a to node b, and n is used to limit the number of hops;

s2.2, repairing the loop in the network through a loop detection and clearing algorithm, and then operating a conflict detection module (a multi-bit prefix tree, a configuration diagram and the like); the aim of the complex loop is to make minimum changes to the existing network, i.e. to minimize the impact on ECs and to minimize the number of deletion rules; the compressed graph in the conflict detection module is equivalent to the original graph in the relevant strategy;

a compression map is required to achieve load balancing or resiliency; the compressed graph is equivalent to the original graph in terms of related strategies; the labeled directed graph is compressed here according to the following inter-simulation relationships:

g ═ V, E, L is denoted as a directed graph; v represents a set of nodes, (a, b) E represents a directed edge from node a to node b; l (a) e Γ represents the label of node a, where Γ is the set of labels applied to V (in the context of a network system, these labels represent a set of functionally similar network nodes, e.g., hosts, firewalls, load balancing); a modeling relationship of (V, E, L) is a binary relationship

For all (a, b) ∈ BR:

1)、L(a)＝L(b)；

2)、

then (a ', b') is e BR;

3)、

then (a ', b'). epsilon.BR.

For the above fixed graph EC_cP and T are compressed, where EC_cAnd T are all according to p_cCompressed, the compressed graph is represented as EC_c', P ', T '; the information in the strategy map is not lost after compression. Then calculate EC_cAnd compressing the graph based on the double degree of simulation.

EC_cThe above mutual simulation relation calculation method comprises: first according to EC_c' directionless compression of T with EC_cOverlapping portions, then drawing edges between the non-overlapping portions and the compressed portions with original edges T, the compression algorithm having a temporal complexity of O (| E | log | V |))。

The compression algorithm is described in detail as the following steps: given input EC_c，P，T；

1) Calculating EC_cThe maximum mutual simulation relationship BR;

2) calculating cluster V/BR;

3) folding each cluster belonging to the nodes in the clusters;

4) calculating the EC after compression_c′,T′。

The output is EC_c′,T′。

S2.3, when the conflict detection module finds the violating EC, executing a conflict resolution algorithm in the conflict resolution module; when intercepting updating, constructing a corresponding network model for each affected EC, wherein the network model captures the configuration forwarding behavior of all data packets in the EC; then, the directed configuration graph, the topological graph and the strategy graph are used as the input of a conflict resolution algorithm, the aim is to repair the detected violation behavior in an optimal mode, namely, the change times of the original configuration are minimum, and the repair problem is described as a corresponding optimization problem: the goal is to add or delete the minimum number of edges on the configuration graph so that the modified configuration subgraph conforms to the associated policy subgraph and the added edges are constrained by the physical topology graph;

s2.4, describing the description of the repair problem of the basic reachability policy as an Integer Linear Programming (ILP) problem.

Further, the specific content of the loop detection and elimination algorithm in step S2.2 is as follows:

definitions SL (c) denotes all cycles occurring in ECc, n (SL (c)) denotes EC_cNumber of cycles in, τ_aIs EC_cWhen the subgraph is acyclic, n (τ)_a)＝0；

Finding and deleting EC_cAll intersecting edges in the loop; for EC_cEach cycle of which is not repaired by removing these edges, one edge (a, b) is next removed, where it is the target of the IP address (if such an edge exists), when τ_aWhen there are still cycles, the edge in the cycle with the most specific matching rule (e.g., longest prefix) is deleted, each edge maps to a specific forwarding rule on a specific switch when calculating ECs, and replacing the forwarding rule with a drop operation rule will complete its deletion, which can prevent a rough match from causing another cycle. For example, if only the rule that matches target IP10.0.0.1/32 is removed from the switch forwarding table, another rule that matches 10.0.0.1/31 on the same switch and forwards to the matching next hop may prevent repair loops. Because the resource of the switch flow table entry is limited, all the rough drop rules are verified to determine whether some rules can be merged in the response repairing process;

further, the specific content of step S3 is: deleting the disconnected physical device in the physical topology graph and localizing potentially affected portions of the topology graph (i.e., only a subset of the topology edges are considered to map to policy edges); and compressing the graph by using a symmetry rule, and ensuring that the compressed graph and the original graph conform to a corresponding strategy.

In the optimization formulation, one variable of ECs related to the number of links is the number of edges in the generated topology and policy graph. The optimization goal is to fix the problem with minimal modifications;

(3.1) first is the limitation of physical topology, the technique aims at "cutting out" irrelevant or redundant parts of the network, first removing already disconnected physical devices, and then localizing potentially affected parts of the topology, i.e. only a subset of the topology edges are considered to be mappable to policy edges;

(3.2) most large networks are designed in a mode that enhances symmetry to some extent, in addition to the hierarchical structure, to achieve load balancing or resiliency. For example, in a data center Fattree topology, devices on the same tier (access, aggregation, core) are symmetrically connected to multiple devices on adjacent tiers. The graph is compressed using symmetry rules and ensuring that the compressed graph must conform to the corresponding policy of the original graph.

Further, the detailed process of the layout optimization strategy in step S4 is as follows:

s4.1, calculating the total overhead C of the layout through the total strategy number or n (r);

s4.2, calculating a standard deviation U of the utilization rate of the flow table storage resources of each switch to balance the load of the switches;

s4.3, in order to determine whether the current approximate optimal strategy layout algorithm should be implemented, X is used for representing the number of the exchangers with the capacity exceeding under the current layout condition; when X is greater than 0, the flag F is equal to 1, and then the approximate optimal strategy layout algorithm is executed;

s4.4, the approximate optimal strategy layout algorithm uses E to express the number of whole rule conflicts in the whole network; so far, the benefits of current policy placement are expressed as: w ═ F/[ (C × U) -E ];

in short, the search process of the algorithm is to seek greater benefit by transferring the semantic retention of the fault maker;

s4.5, if any transfer does not result in W of the current position to be larger, the process is terminated, and only when W is larger than 0, the current situation is the best solution; and, the near-optimal strategy layout algorithm is specifically demonstrated on the right side. Note that when W < 0, the current situation is unacceptable due to flow table overflow, which requires negotiation with the controller in interactive mode to obtain appropriate operating instructions;

in the above process, a single-hop transfer function T is set_sThe single-hop transfer function T_sInput parameters ofOne-end-point-count policy P_eA neighbouring switch s_aThe output parameter is a new set of policies; a plurality of single-hop transfer functions constitute a multi-hop transfer function, whereby the following three transfer cases exist:

if neither p nor p slice p' can be transferred to s, then

If only p can be transferred to switch s, then

If only the slice p' of p is transferred to switch s, then

Wherein, the symbol

Is p.f replaced by a value v;

the additional goal of optimizing that the traffic capacity of the critical flow meter is not affected by congestion is achieved by the optimal strategy layout. In order to realize the transmission of semantic reservation, a single-hop transmission function T is provided_s. In this function, the input parameter is an endpoint policy P_eA neighbouring switch s_aThe output is a new set of policies. The multi-hop transfer function is formed by combining single-hop transfer functions. Specifically, there are three cases of metastasis: if neither p nor p slices can be transferred to s, then

If p can complete the transfer to the switch

If a slice of p (denoted as p') can be transferred to switch s, then

(symbol)

Is to replace p.f with the value v.

Has the advantages that: compared with the prior art, the invention has the following advantages:

(1) the present invention abstractly represents network policies by constructing a simple and intuitive policy graph for each policy. And an integer linear programming is used for describing the optimization problem of minimizing modification when the modification strategies conflict.

(2) The invention develops a heuristic algorithm, automatically and telescopically performs optimal strategy layout, and can obviously reduce the number of rules, thereby obviously avoiding the strategy conflict of the end points.

(3) The present invention introduces the design and implementation of a GPVC system that aims to achieve automatic detection and resolution of security policy violations and policy conflicts that result in costly data leaks, segmentation violations, and intrusions.

Drawings

FIG. 1 is an overall flow chart of the present invention;

FIG. 2 is a schematic diagram of a use scenario of the present invention;

figure 3 is a diagram of a prior art SDN architecture;

FIG. 4 is a schematic diagram of an extended multi-bit prefix tree of the present invention;

FIG. 5 is a schematic view of the strategy diagram of the present invention;

FIG. 6 is a flowchart illustrating step S1 according to the present invention;

FIG. 7 is a flowchart illustrating step S2 of the present invention;

FIG. 8 is a flowchart illustrating step S3 of the present invention;

FIG. 9 is a flowchart illustrating step S4 of the present invention;

fig. 10 is a schematic diagram of a network topology in an embodiment.

Detailed Description

The technical solution of the present invention is described in detail below, but the scope of the present invention is not limited to the embodiments.

As shown in fig. 1, the method for detecting and resolving a policy conflict based on a graphical representation in an SDN environment of the present invention sequentially includes the following steps:

s1, constructing a network model: constructing and expanding a multi-bit prefix tree TRIE, performing equivalence class EC grouping according to the whole path from a tree root node to a leaf node in the mostly prefix tree TRIE, then extracting a corresponding configuration diagram from each EC grouping, and further constructing a strategy diagram to form a network model; as shown in fig. 6.

Step S1.1, constructing a multi-bit prefix tree TRIE, wherein each sub-node in the multi-bit prefix tree TRIE corresponds to three possible bit values of 0, 1 and x, and each layer node in the multi-bit prefix tree TRIE represents the same bit position in a packet header; the node combination of each dimensionality in the multi-bit prefix tree TRIE represents the information of the packet header field;

step S1.2, expanding the multi-bit prefix tree TRIE (as shown in fig. 4) in step 1.1, that is, adding a field pointer indicating the starting position of each head field in the multi-bit prefix tree TRIE, linking all related leaf nodes through leaf pointers, and corresponding the whole path from the root node of the tree to the leaf nodes to all matching fields of the flow table entry;

step S1.3, dividing the packets which undergo the same flow rule action into an equivalent class EC according to the flow rule in the whole path and the naming mode in VeriFlow, wherein each equivalent class EC is defined by a series of bits with specific values, and the packets belonging to the same EC are matched by the same flow rule;

step S1.4, storing the generated ECS in leaf nodes, and if updating rules exist, updating the ECS regularly; the cloud server of the affected violating strategy can be quickly searched out; extracting a configuration map of packet forwarding behaviors defined in the EC from each EC; finally, adding or deleting a given EC repair requires browsing the links of the configuration map, and searching for the link addition requires checking the topology map of the edge definition in the physical topology

S2, collision detection: a conflict detection module is used to check each affected EC in the network model for policy violations, as shown in FIG. 7

S2.1, defining a strategy graph on a packet header mode, wherein each node on the strategy graph is a device based on physics or software, edges in the strategy graph are identified by labels representing different types of reachability constraints, namely m represents the number of paths from a node a to a node b, and n is used for limiting the hop count;

s2.2, repairing a loop in the network through a loop detection and clearing algorithm, and then operating a conflict detection module;

s2.3, when the verification engine finds the violating EC, executing an algorithm; when interception updating is carried out, a corresponding network graph model is constructed for each influenced EC, and the network graph model captures the configuration forwarding behaviors of all data packets in the EC; then, the directed configuration graph, the topological graph and the strategy graph are used as input of a repair algorithm, the repair problem is described as a corresponding optimization problem, the goal of the optimization problem is to add or delete the minimum number of edges on the configuration graph, so that the modified configuration subgraph conforms to the related strategy subgraph, and the added edges are constrained by the physical topological graph;

s2.4, describing the repair problem of the basic reachability strategy as an integer linear programming ILP problem, wherein the expression is as follows:

s3, conflict resolution: as shown in fig. 8, the configuration map and the physical topology map are compressed and passed to the violation resolution module; the optimizer returns a group of edges of the EC configuration diagram to be added or deleted, and applies the edges to the network model so as to convert the edges into corresponding OpenFlow rules; deleting the disconnected physical device in the topological graph of the physical device, and localizing the potentially affected part in the topological graph; compressing the graph by using a symmetric rule, and ensuring that the compressed graph and the original graph conform to a corresponding strategy;

s4, layout optimization strategy: using a heuristic algorithm to achieve optimal deployment of the rules on the forwarding device, as shown in fig. 9 specifically;

s4.3, in order to determine whether a current approximate optimal strategy layout algorithm should be implemented, X is used for expressing the number of the exchangers with the capacity exceeding under the current layout condition; when X is greater than 0, the flag F is equal to 1, and then an approximate optimal strategy layout algorithm is executed;

s4.4, the approximate optimal strategy layout algorithm uses E to express the number of the whole rule conflicts in the whole network; so far, the benefits of current policy placement are expressed as: w ═ F/[ (C × U) -E ];

s4.5, if any transfer does not result in W of the current position to be larger, the process is terminated, and only when W is larger than 0, the current situation is the best solution; and the approximate optimal strategy layout algorithm is specifically demonstrated on the right side. Note that when W < 0, the current situation is unacceptable due to flow table overflow, which requires negotiation with the controller in the interactive mode to obtain appropriate operating instructions;

in the above process, a single-hop transfer function T is set_sThe single-hop transfer function T_sIs an endpoint policy P_eA neighbouring switch s_aThe output parameter is a new set of policies; a plurality of single-hop transfer functions constitute a multi-hop transfer function, whereby the following three transfer cases exist:

if neither p nor p slice p' can be transferred to s, then

If only p can be transferred to switch s, then

If only the slice p' of p is transferred to switch s, then

Wherein, the symbol

Is to replace p.f with the value v.

As shown in fig. 1 and fig. 2, in the present embodiment, the policy violation and rule conflict detection and resolution method in an SDN environment can be used in the SDN environment, where four main roles of an SDN controller, an SDN switch, a host, and a server are included in the SDN environment.

Example (b):

the experimental environment is as follows: the SDN controller adopts Floodlight1.2, a network topology is simulated by Mininet2.2, strategies in the network are generated by two small experiments in different methods, the first strategy is generated through a script file, and the second strategy is simulated through a tool ClassBench to generate a specific network endpoint strategy.

Network topology: as shown in fig. 10, the Fattree topology has 8 hosts of 10 switches, 2 servers, and 6 clients.

Experimental parameters: the experimental initial setup information of the optimal strategy layout module is shown in the following table.

The implementation process comprises the following steps:

1. a fantree topology is first created using minet, and then a set of flow rules is created by writing a script file. The packet is generated using scapy. In the network model of this embodiment, the feasibility of policy conflict detection and resolution is respectively tested, and first, one to two flow rules for topology communication are randomly deleted to realize an initial state in which a reachability policy violation exists.

2. In the Fattree topology with k-4, the network address is divided into 20 parts according to the number of switches in the topology, each part corresponding to the host IP range of the switch to which the underlying switch-based TCAM is connected. Then, some rules (IPsrc, IPdst, portransgerc, portransegdst, Action) are randomly installed on the path using the ClassBench tool as an endpoint policy that the endpoint intends to generate. The operation fields are represented by different integers to distinguish different operations.

The results of the examples show that: after the strategy conflict detection and solution method of the technical scheme of the invention is started, the forwarding of the data packet is not influenced under the normal condition, but when the strategy conflict occurs, the violation detection module can locate the influenced equivalence class, and finally the minimum change of the configuration diagram is returned through the repair optimization algorithm. The experimental results also show that the optimal policy layout algorithm can obviously reduce the number of additional rules generated by the network endpoint policies due to conflicts.

It can be seen from the above embodiments that, by representing the network policy correctness condition as a graph instead of a path set of the conventional method, a richer policy set and an optimal repair of the detected violation can be handled. Meanwhile, the invention adopts a heuristic rule layout algorithm to minimize the number of rules in the switch. The invention rejects illegal flow rules with smaller expenditure, solves the problem of violation of all strategies, avoids rule conflicts of a large number of endpoint strategies and ensures certain network service quality.

Claims

1. A strategy conflict detection and solution method based on graphic representation in SDN environment is characterized in that: the method sequentially comprises the following steps:

the specific content of the step S1 is:

step S1.1, constructing a multi-bit prefix tree TRIE, wherein each sub node in the multi-bit prefix tree TRIE corresponds to a corresponding bit value, the bit values comprise 0, 1 and x, and each layer node in the multi-bit prefix tree TRIE represents the same bit position in the packet header; the node combination of each dimensionality in the multi-bit prefix tree TRIE represents the information of the packet header field;

step S1.2, expanding the multi-bit prefix tree TRIE in step S1.1, that is, adding a field pointer indicating the start position of each head field in the multi-bit prefix tree TRIE, linking all related leaf nodes through leaf pointers, and corresponding the whole path from the root node of the tree to the leaf nodes to all matching fields of the flow table entry;

s1.4, storing the generated EC in a leaf node, and periodically upgrading an updating rule; then quickly searching out the cloud server of the affected violation policy; extracting a configuration map containing forwarding behaviors from each EC; finally, adding or deleting configuration diagram links necessary for EC repair, and adding a physical topology diagram defined by edges in the physical topology by searching the configuration diagram links;

s2, collision detection: using a conflict detection module to check whether each affected EC in the network model has a policy violation; the specific content of the step S2 is:

s2.1, defining a strategy graph on a packet header mode based on the strategy graph constructed in the step S1, wherein each node on the strategy graph is a physical or software-based device, and edges in the strategy graph are identified by labels representing different types of reachability constraints;

s2.2, repairing loops in the network through a loop detection and clearing algorithm and then running conflict detectionA module; at the time of detection, G ═ (V, E, L) is represented as a directed graph; v represents a set of nodes, (a, b) E represents a directed edge from node a to node b, L (a) E Γ represents the label of node a, where Γ is the set of labels applied to V; a mutual simulation relationship of graph G ═ V, E, L is a binary relationship

The following relationship for all (a, b) ∈ BR:

1)、L(a)＝L(b)；

2)、

then (a ', b') is e BR;

3)、

then (a ', b') belongs to BR;

alignment chart EC_cThe graph after compression of P and T is as follows: EC (EC)_c', P ', T '; wherein T is a physical topological graph, P is a strategy graph, and EC is_cRefers to the configuration graph of the equivalence class EC;

s2.3, when the conflict detection module finds the EC violating the strategy, executing a conflict resolution algorithm in the conflict resolution module; when intercepting updating, constructing a corresponding network model for each affected EC, wherein the network model captures the configuration forwarding behavior of all data packets in the EC; then, the directed configuration graph, the physical topological graph and the strategy graph are used as input of a conflict resolution algorithm, the repair problem is described as a corresponding optimization problem, the goal of the optimization problem is to add or delete the minimum number of edges on the configuration graph, so that the modified configuration subgraph conforms to the relevant strategy subgraph, and the added edges are constrained by the physical topological graph;

wherein, the variable x_a,b,e,fRefers to the mapping between physical topology graph edges and policy graph edges if a directed edge (a, b) maps to the current EC_cI.e. a flow from node e to node f will be forwarded from node a to node b via directed edges (a, b); variable x_a,bRefers to whether or not this EC traffic is forwarded using directed edges (a, b), regardless of which flow uses it; variable x_b,aRefers to whether this EC traffic is forwarded using directed edges (b, a);

s3, conflict resolution: compressing the configuration diagram and the physical topological diagram and transmitting the configuration diagram and the physical topological diagram to the violation solving module; the optimizer returns a group of edges of the EC configuration diagram to be added or deleted, and applies the edges to the network model to be converted into a corresponding OpenFlow rule; the specific content of the step S3 is: deleting the disconnected physical device in the physical topological graph, and localizing the potentially affected part in the physical topological graph; compressing the strategy graph, the physical topological graph and the EC configuration graph by using a symmetric rule, and ensuring that the compressed strategy graph, the physical topological graph and the EC configuration graph correspond to the original graph;

s4, layout optimization strategy: utilizing a heuristic algorithm to realize the optimal deployment of the rules on the forwarding equipment; the detailed process of the layout optimization strategy in step S4 is as follows:

s4.1, calculating total overhead C of the layout through the total strategy number;

s4.4, the approximate optimal strategy layout algorithm uses E to express the number of the whole rule conflicts in the whole network; the benefits of current policy placement are expressed as: w ═ F/[ (C × U) -E ];

s4.5, if any transfer does not result in the W of the current position to be larger, terminating the process; the current case is the best solution only if W > 0; when W < 0, the flow table overflows, indicating that the current situation is unacceptable, requiring negotiation with the controller in interactive mode to obtain the appropriate operating instructions.

2. The method of claim 1, wherein the method comprises: the method for fast searching in the step S1.4 comprises the following steps:

using a TRIE data structure to store all forwarding rules present in all devices in the network, treating each rule as a binary string and representing the TRIE using a single bit, each level in the TRIE representing one bit in a particular rule, each node in the TRIE having three branches: taking the first branch if the corresponding rule bit is 0, the second branch if the rule bit is 1, and the third branch if the bit is don't care, the leaf in TRIE storing the actual rule represented by the path of the particular leaf starting from the TRIE root: given a new rule, starting from the first bit of the rule and traversing the TRIE starting from its root, checking each bit and taking the branch pointed to by the bit value, for a bit, it is necessary to explore all the branches of the current node, since a bit can take any value, for 0 or 1 bit, explore the 0 or 1 branch and the branch; if the leaves of all paths being explored are reached, a rule list is obtained that overlaps with the new rules, and the rule list is used to construct the equivalence class and the configuration graph.

3. The method of claim 1, wherein the method comprises: the specific contents of the loop detection and removal algorithm in the step S2.2 are as follows:

definition SL (c) represents a configuration diagram EC_cAll cycles taking place in, n (SL (c)) denotes EC_cNumber of cycles in, τ_aIs EC_cWhen the subgraph is acyclic, n (τ)_a)＝0；

Finding and deleting EC_cAll intersecting edges in the loop; for EC_cRemoving one directed edge (a, b) for each cycle of the loop that is not repaired by removing the edge, when τ_aWhen there is still a loop, the edge with the most specific matching rule in the loop is deleted, and EC is calculated_cAnd when each edge is mapped to a specific forwarding rule on a specific switch, and the specific forwarding rule is replaced by a drop operation rule, so that the specific forwarding rule is deleted.