CN114338119A - Network isolation method and system and proxy equipment - Google Patents
Network isolation method and system and proxy equipment Download PDFInfo
- Publication number
- CN114338119A CN114338119A CN202111589872.2A CN202111589872A CN114338119A CN 114338119 A CN114338119 A CN 114338119A CN 202111589872 A CN202111589872 A CN 202111589872A CN 114338119 A CN114338119 A CN 114338119A
- Authority
- CN
- China
- Prior art keywords
- data packet
- switch
- slice
- network
- proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000004590 computer program Methods 0.000 claims description 11
- 230000006872 improvement Effects 0.000 abstract description 3
- 238000006243 chemical reaction Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 16
- 238000007726 management method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000005538 encapsulation Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000006424 Flood reaction Methods 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a network isolation method and system and proxy equipment, and relates to the field of network and information security. The method comprises the steps that proxy equipment receives a first data packet sent by a switch; the proxy equipment determines a network slice corresponding to the first data packet according to a flow space, wherein the flow space defines the network slice corresponding to the data flow so as to construct an isolated logic network; the proxy equipment rewrites the content of a matching domain of a field which can identify different network slices in the first data packet; and the proxy equipment sends the rewritten first data packet to a slice controller corresponding to the network slice corresponding to the first data packet. Based on the proxy, the updating and the improvement of network isolation are realized, the related operation of a virtual bridge to a VLAN is saved, the performance loss of VXLAN or GRE conversion is avoided, and the management of a slicing controller to a real-time control flow is simplified.
Description
Technical Field
The present disclosure relates to the field of network and information security, and in particular, to a network isolation method, a network isolation system, and a proxy device.
Background
At present, the two-layer Network isolation generally uses technologies such as VLAN (Virtual Local Area Network) or VXLAN (Virtual eXtensible Local Area Network), gre (generic Routing encapsulation) general Routing encapsulation, and the like. Since the VLAN support number is limited, VXLAN or GRE techniques are used in a private cloud or public cloud scenario. The VXLAN or GRE technology is a layer of packet outside a transmission layer, which relates to the problem of unpacking and influences the network efficiency.
Disclosure of Invention
The embodiment of the disclosure is based on the proxy, realizes the updating and improvement of network isolation, saves the related operation of the virtual bridge to the VLAN, and avoids the performance loss of VXLAN or GRE conversion. In addition, decoupling network isolation from the controller reduces complexity of network management (such as flow table operation and problem troubleshooting) of the controller, and simplifies management of real-time control flow by the slice controller.
Some embodiments of the present disclosure provide a network isolation method, including: the method comprises the steps that proxy equipment receives a first data packet sent by a switch; the proxy equipment determines a network slice corresponding to the first data packet according to a flow space, wherein the flow space defines the network slice corresponding to the data flow so as to construct an isolated logic network; the proxy equipment rewrites the content of a matching domain of a field which can identify different network slices in the first data packet; and the proxy equipment sends the rewritten first data packet to a slice controller corresponding to the network slice corresponding to the first data packet.
In some embodiments, the network isolation method further comprises: the proxy equipment receives a second data packet sent by the slice controller; the proxy equipment rewrites the second data packet according to the corresponding network slice of the slice controller, so that the rewritten second data packet has fields capable of identifying different network slices; and the proxy equipment sends the rewritten second data packet to a corresponding switch.
In some embodiments, the agent device rewriting the matching domain content of the field in the first data packet that is capable of identifying a different network slice comprises: the agent device rewrites matching field content of a field in the first data packet that can identify a different network slice as information of the agent device.
In some embodiments, rewriting, by the proxy device, matching domain content of a field in the first data packet that is capable of identifying a different network slice as the information of the proxy device includes: the proxy device rewrites the matching domain content of at least one field in the source IP address, the source port number and the source MAC address in the first data packet into at least one of the IP address, the port number and the MAC address of the proxy device by at least one of the IP address, the port number and the MAC address of the switch.
In some embodiments, before sending the rewritten first data packet to the slice controller corresponding to the network slice corresponding to the first data packet, the proxy device rewrites the matching domain content of at least one field in the destination IP address, the destination port number, and the destination MAC address in the first data packet into at least one of the IP address, the port number, and the MAC address of the slice controller corresponding to the network slice corresponding to the first data packet by at least one of the IP address, the port number, and the MAC address of the proxy device.
In some embodiments, the rewriting, by the proxy device, the second packet according to the network slice corresponding to the slice controller, so that the rewritten second packet has a field capable of identifying a different network slice includes: and the proxy equipment rewrites the matching domain content of at least one field in the destination IP address, the destination port number and the destination MAC address in the second data packet into at least one of the IP address, the port number and the MAC address of the switch by at least one of the IP address, the port number and the MAC address of the proxy equipment.
In some embodiments, the proxy device rewrites the matching domain content of at least one field of the source IP address, the source port number, and the source MAC address in the second packet into at least one of the IP address, the port number, and the MAC address of the proxy device by at least one of the IP address, the port number, and the MAC address of the slice controller before sending the rewritten second packet to the corresponding switch.
In some embodiments, the first packet sent by the switch is a packet requesting a flow table, and the second packet sent by the slice controller is a packet issuing the flow table.
In some embodiments, the network isolation method further comprises: the proxy equipment receives the symmetrical message sent by the switch, if the target proxy equipment corresponding to the switch is the current proxy equipment, whether the corresponding network slice exists is searched, and if the target proxy equipment corresponding to the switch exists, the symmetrical message of the switch is sent to the slice controller corresponding to the network slice.
In some embodiments, the network isolation method further comprises: and if the target proxy equipment corresponding to the switch is not the current proxy equipment, flooding the symmetric message of the switch to all the proxy equipment, searching whether a corresponding network slice exists by the target proxy equipment corresponding to the switch, and if so, sending the symmetric message of the switch to a slice controller corresponding to the network slice.
In some embodiments, the network isolation method further comprises: the proxy equipment receives the symmetrical message sent by the slice controller, and sends the symmetrical message of the slice controller to the switch corresponding to the network slice according to the network slice corresponding to the slice controller.
In some embodiments, the network isolation method further comprises: and when the logic network where the switch is located is changed, the proxy equipment synchronously updates the data of the network slice to which the switch belongs, which is stored in the proxy equipment, according to the changed network slice corresponding to the latest slice controller.
In some embodiments, the network isolation method further comprises: and the proxy equipment receives a third data packet sent by the switch, and sends the third data packet to a destination corresponding to the corresponding network slice according to the flow table so as to reduce the control flow needing to be processed by the slice controller in real time.
Some embodiments of the present disclosure provide a proxy device, including: a memory; and a processor coupled to the memory, the processor configured to perform the network isolation method of embodiments based on instructions stored in the memory.
Some embodiments of the present disclosure provide a network isolation system, which includes a switch, a slice controller, and a proxy device, where the switch is communicatively connected to the proxy device, and the proxy device is communicatively connected to the slice controller.
Some embodiments of the present disclosure provide a non-transitory computer readable storage medium having stored thereon a computer program that, when executed by a processor, performs the steps of the network isolation method of the embodiments.
Drawings
The drawings that will be used in the description of the embodiments or the related art will be briefly described below. The present disclosure can be understood more clearly from the following detailed description, which proceeds with reference to the accompanying drawings.
It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without undue inventive faculty.
Fig. 1 illustrates a flow diagram of a network isolation method of some embodiments of the present disclosure.
Fig. 2 shows a schematic flow diagram of a network isolation method according to further embodiments of the present disclosure.
Fig. 3 illustrates a schematic diagram of a network isolation system of some embodiments of the present disclosure.
Fig. 4 illustrates a schematic diagram of a proxy device of some embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure.
Unless otherwise specified, "first", "second", and the like in the present disclosure are described to distinguish different objects, and are not intended to mean size, timing, or the like.
A proxy device is provided between the switch and the slice controller. The proxy device takes the role of a slice controller for the switch and the role of a switch for the slice controller. Each proxy device will define its own stream space. The switch is for example an OpenFlow switch. The proxy device is, for example, an OpenFlow proxy device. The slice controller is, for example, an SDN (Software-defined Networking) controller, which may be referred to as a controller. The flow table issued by the slice controller is, for example, an OpenFlow flow table.
Fig. 1 illustrates a flow diagram of a network isolation method of some embodiments of the present disclosure.
As shown in fig. 1, the network isolation method of this embodiment includes the following steps.
In step 110, the agent device receives a first data packet sent by the switch.
The first packet sent by the switch is, for example, a packet requesting a flow table. The proxy device takes the role of a controller for the switch, and when the switch finds that the switch does not match with the controller, the proxy device sends a data packet requesting a flow table to the proxy device.
The stream space defines network slices corresponding to the data streams, and different data streams correspond to different network slices to construct an isolated logical network. A flow space may be constructed according to a network topology before interworking, and the proxy device slices traffic using the flow space. And when the logic network where the switch is located is changed, the proxy equipment synchronously updates the data of the network slice to which the switch belongs, which is stored in the proxy equipment, according to the changed network slice corresponding to the latest slice controller.
The agent device may convert the first packet into an offset data structure, and then match the first packet with an entry in its own stream space, and if there is no matching item, may notify the controller to discard the first packet, and if there is a matching item, acquire an action list, and execute a corresponding instruction.
The rewriting of the content of the matching field of the field capable of identifying the different network slices in the first data packet by the proxy device comprises: the agent device rewrites matching field content of a field in the first data packet that can identify a different network slice as information of the agent device.
The rewriting, by the proxy device, of the content of the matching field of the field capable of identifying the different network slices in the first data packet as the information of the proxy device includes: the proxy device rewrites matching domain content of at least one field in a source IP (Internet Protocol) address, a source port number, and a source MAC (Media Access Control) address in the first data packet into at least one of an IP address, a port number, and a MAC address of the proxy device by at least one of the IP address, the port number, and the MAC address of the switch.
Before sending the rewritten first data packet to the slice controller corresponding to the network slice corresponding to the first data packet, the proxy device also rewrites the matching domain content of at least one field in the destination IP address, the destination port number and the destination MAC address in the first data packet into at least one of the IP address, the port number and the MAC address of the slice controller corresponding to the network slice corresponding to the first data packet by at least one of the IP address, the port number and the MAC address of the proxy device.
Therefore, by rewriting the negotiation information in the data packet from the forwarding layer to the control layer, the slice controller is ensured to only acquire the switch information in the network slice for which the slice controller is responsible, the complexity of the network management work of the slice controller is reduced, and the management of the slice controller on the real-time control flow is simplified.
And 150, the agent device rewrites the second data packet after matching the self flow space according to the corresponding network slice of the slice controller, so that the rewritten second data packet has fields capable of identifying different network slices.
The agent device rewriting the second data packet so that the rewritten second data packet has a field capable of identifying different network slices includes: and after the proxy equipment is matched through the self flow space according to the corresponding network slice of the slice controller, the matching domain content of at least one field in the destination IP address, the destination port number and the destination MAC address in the second data packet is rewritten into at least one of the IP address, the port number and the MAC address of the switch by at least one of the IP address, the port number and the MAC address of the proxy equipment.
Before sending the rewritten second data packet to the corresponding switch, the proxy device also rewrites the matching domain content of at least one field in the source IP address, the source port number and the source MAC address in the second data packet into at least one of the IP address, the port number and the MAC address of the proxy device by at least one of the IP address, the port number and the MAC address of the slice controller.
Therefore, the switch obtains the flow table of the corresponding flow space by rewriting the information in the data packet from the control layer to the forwarding layer.
The agent device intercepts the data packet between the switch and the controller, and completes network isolation through message rewriting. Each controller only manages the global strategy flow table of each slice space, frequent modification is not needed, and management efficiency is improved.
If the switch and the slice controller have already learned the information of the node device in the own flow space, the embodiment shown in fig. 1 may be executed to acquire the flow table, otherwise, the embodiment shown in fig. 2 may be executed first, so that the switch and the slice controller learn the information of the node device in the own flow space, and then the embodiment shown in fig. 1 is executed to acquire the flow table.
Fig. 2 shows a schematic flow diagram of a network isolation method according to further embodiments of the present disclosure.
As shown in fig. 2, the network isolation method of this embodiment includes the following steps.
In step 210, the proxy device receives a symmetric message sent by the switch. The symmetric message is, for example, a Link Discovery message, such as a Link Layer Discovery Protocol (LLDP) message.
The link discovery sends messages to other nodes through nodes in the network, so that the other nodes know the existence of the nodes. Taking LLDP as an example, a node may encapsulate its own processing capability, management address, device identifier, interface identifier, and the like, and send the encapsulated information to other nodes directly connected.
In step 240, the proxy device receives a symmetric message sent by the slice controller. The symmetric message is, for example, a link discovery message, such as an LLDP message.
In step 250, the proxy device sends the symmetric message of the slice controller to the switch corresponding to the network slice flow space according to the network slice flow space corresponding to the slice controller, so that the switch knows the existence of the slice controller.
Thus, the switch and the slice controller are made to know information of the node devices in their own flow space, respectively.
After the switch and the slice controller respectively acquire the information of the node devices in the own flow space through the embodiment shown in fig. 2, and the flow table is acquired through the embodiment shown in fig. 1, the proxy device receives the third data packet sent by the switch, and if the third data packet can be matched with the corresponding flow table entry, the third data packet is sent to the destination corresponding to the corresponding network slice according to the flow table, so that the control flow needing to be processed by the slice controller in real time is reduced.
In the disclosure, the flow in the network is sliced according to the flow space matching, so as to realize coarse-grained network isolation, and in the slicing, the network flow is forwarded according to the flow table issued by the slice controller, so as to realize fine-grained network isolation.
The network isolation technology disclosed by the invention can be applied to network isolation in the interconnection and intercommunication process of heterogeneous network shooting ranges, for example. The network target Range (Cyber Range) is a technology or product for simulating and reproducing the running states and running environments of network architecture, system equipment and business processes in a real network space based on a virtualization technology so as to more effectively realize the behaviors of learning, research, inspection, competition, exercise and the like related to network safety, thereby improving the network safety confrontation level of personnel and mechanisms. In the process of promoting the construction of a large network target range, network isolation is needed in the interconnection and intercommunication process of heterogeneous target ranges or target ranges.
Fig. 3 illustrates a schematic diagram of a network isolation system of some embodiments of the present disclosure.
As shown in fig. 3, the network isolation system of this embodiment includes: a switch 300, a proxy device 400, and a slice controller 500, wherein the switch is communicatively coupled to the proxy device, and the proxy device is communicatively coupled to the slice controller. That is, a proxy device is provided between the switch and the slice controller, and the proxy device takes the role of the slice controller with respect to the switch and takes the role of the switch with respect to the slice controller.
Fig. 4 illustrates a schematic diagram of a proxy device of some embodiments of the present disclosure.
As shown in fig. 4, the proxy apparatus 400 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410, wherein the processor 420 is configured to execute the network isolation method in any of the foregoing embodiments based on instructions stored in the memory 410, and specific reference is made to the foregoing embodiments, which are not described herein again.
The Processor 420 may be implemented as discrete hardware components such as a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), other Programmable logic devices, discrete gates, or transistors.
The proxy device 400 may also include an input-output interface 430, a network interface 440, a storage interface 450, and the like. These interfaces 430, 440, 450 and the connection between the memory 410 and the processor 420 may be, for example, via a bus 460. The input/output interface 430 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 440 provides a connection interface for various networking devices. The storage interface 450 provides a connection interface for external storage devices such as an SD card and a usb disk. The bus 460 may use any of a variety of bus architectures. For example, bus structures include, but are not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, and a Peripheral Component Interconnect (PCI) bus.
The disclosed embodiments propose a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network isolation method of the embodiments.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more non-transitory computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present disclosure and is not intended to limit the present disclosure, so that any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (16)
1. A method of network isolation, comprising:
the method comprises the steps that proxy equipment receives a first data packet sent by a switch;
the proxy equipment determines a network slice corresponding to the first data packet according to a flow space, wherein the flow space defines the network slice corresponding to the data flow so as to construct an isolated logic network;
the proxy equipment rewrites the content of a matching domain of a field which can identify different network slices in the first data packet;
and the proxy equipment sends the rewritten first data packet to a slice controller corresponding to the network slice corresponding to the first data packet.
2. The method of claim 1, further comprising:
the proxy equipment receives a second data packet sent by the slice controller;
the proxy equipment rewrites the second data packet according to the corresponding network slice of the slice controller, so that the rewritten second data packet has fields capable of identifying different network slices;
and the proxy equipment sends the rewritten second data packet to a corresponding switch.
3. The method of claim 1, wherein the agent device rewriting the contents of the matching field of the first packet that identifies a different network slice comprises:
the agent device rewrites matching field content of a field in the first data packet that can identify a different network slice as information of the agent device.
4. The method of claim 3, wherein the agent device rewriting the matching field contents of the field in the first packet that can identify the different network slice as the information of the agent device comprises:
the proxy device rewrites the matching domain content of at least one field in the source IP address, the source port number and the source MAC address in the first data packet into at least one of the IP address, the port number and the MAC address of the proxy device by at least one of the IP address, the port number and the MAC address of the switch.
5. The method of claim 1,
before sending the rewritten first data packet to the slice controller corresponding to the network slice corresponding to the first data packet, the proxy device rewrites the matching domain content of at least one field in the destination IP address, the destination port number and the destination MAC address in the first data packet into at least one of the IP address, the port number and the MAC address of the slice controller corresponding to the network slice corresponding to the first data packet by at least one of the IP address, the port number and the MAC address of the proxy device.
6. The method of claim 2, wherein the agent device rewrites the second packet according to the network slice corresponding to the slice controller, so that the rewritten second packet has a field capable of identifying a different network slice comprises:
and the proxy equipment rewrites the matching domain content of at least one field in the destination IP address, the destination port number and the destination MAC address in the second data packet into at least one of the IP address, the port number and the MAC address of the switch by at least one of the IP address, the port number and the MAC address of the proxy equipment.
7. The method of claim 2,
before sending the rewritten second data packet to the corresponding switch, the proxy device rewrites the content of the matching domain of at least one field in the source IP address, the source port number and the source MAC address in the second data packet into at least one of the IP address, the port number and the MAC address of the proxy device by at least one of the IP address, the port number and the MAC address of the slice controller.
8. The method of claim 2,
the first data packet sent by the switch is a data packet requesting a flow table, and the second data packet sent by the slice controller is a data packet issuing the flow table.
9. The method of claim 1, further comprising:
the proxy equipment receives the symmetrical message sent by the switch, if the target proxy equipment corresponding to the switch is the current proxy equipment, whether the corresponding network slice exists is searched, and if the target proxy equipment corresponding to the switch exists, the symmetrical message of the switch is sent to the slice controller corresponding to the network slice.
10. The method of claim 9, further comprising:
and if the target proxy equipment corresponding to the switch is not the current proxy equipment, flooding the symmetric message of the switch to all the proxy equipment, searching whether a corresponding network slice exists by the target proxy equipment corresponding to the switch, and if so, sending the symmetric message of the switch to a slice controller corresponding to the network slice.
11. The method of claim 1, further comprising:
the proxy equipment receives the symmetrical message sent by the slice controller, and sends the symmetrical message of the slice controller to the switch corresponding to the network slice according to the network slice corresponding to the slice controller.
12. The method of claim 1, further comprising:
and when the logic network where the switch is located is changed, the proxy equipment synchronously updates the data of the network slice to which the switch belongs, which is stored in the proxy equipment, according to the changed network slice corresponding to the latest slice controller.
13. The method of claim 8, further comprising:
and the proxy equipment receives a third data packet sent by the switch, and sends the third data packet to a destination corresponding to the corresponding network slice according to the flow table so as to reduce the control flow needing to be processed by the slice controller in real time.
14. A proxy device, comprising:
a memory; and a processor coupled to the memory, the processor configured to perform the network isolation method of any of claims 1-13 based on instructions stored in the memory.
15. A network isolation system comprising a switch, a slice controller, and the proxy device of claim 14, wherein the switch is communicatively coupled to the proxy device and the proxy device is communicatively coupled to the slice controller.
16. A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the network isolation method of any one of claims 1-13.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111589872.2A CN114338119B (en) | 2021-12-23 | 2021-12-23 | Network isolation method and system and proxy equipment |
| PCT/CN2022/132152 WO2023116268A1 (en) | 2021-12-23 | 2022-11-16 | Network isolation method and system, and proxy device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111589872.2A CN114338119B (en) | 2021-12-23 | 2021-12-23 | Network isolation method and system and proxy equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338119A true CN114338119A (en) | 2022-04-12 |
| CN114338119B CN114338119B (en) | 2024-08-20 |
Family
ID=81055131
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111589872.2A Active CN114338119B (en) | 2021-12-23 | 2021-12-23 | Network isolation method and system and proxy equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114338119B (en) |
| WO (1) | WO2023116268A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023116268A1 (en) * | 2021-12-23 | 2023-06-29 | 中国电信股份有限公司 | Network isolation method and system, and proxy device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103236945A (en) * | 2013-04-08 | 2013-08-07 | 北京天地互连信息技术有限公司 | OpenFlow-based FlowVisor network system |
| CN103905523A (en) * | 2013-12-23 | 2014-07-02 | 浪潮(北京)电子信息产业有限公司 | Cloud computing network virtualization method and system based on SDN |
| US20160359736A1 (en) * | 2014-02-19 | 2016-12-08 | Huawei Technologies Co., Ltd. | Data Packet Forwarding Method, Apparatus, and System |
| CN106302220A (en) * | 2016-08-26 | 2017-01-04 | 北京工业大学 | A kind of method of SDN Precise control conventional switch |
| US20200267051A1 (en) * | 2017-10-06 | 2020-08-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Remotely controlling network slices in a network |
| CN112532445A (en) * | 2020-11-26 | 2021-03-19 | 国网江苏省电力有限公司信息通信分公司 | Network slicing method and system for network equipment without virtualization capability and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103067245B (en) * | 2012-12-28 | 2015-10-28 | 中兴通讯股份有限公司 | A kind of stream table spatial isolation device for network virtualization and method |
| CN107395532B (en) * | 2017-07-11 | 2020-08-11 | 北京航空航天大学 | Multi-tenant virtual network isolation method based on SDN |
| US20190223023A1 (en) * | 2018-01-17 | 2019-07-18 | Netsia, Inc. | System and method for an integrated virtual customer premises equipment |
| CN112187610B (en) * | 2020-09-24 | 2021-11-16 | 北京赛宁网安科技有限公司 | Network isolation system and method for network target range |
| CN114338119B (en) * | 2021-12-23 | 2024-08-20 | 中国电信股份有限公司 | Network isolation method and system and proxy equipment |
-
2021
- 2021-12-23 CN CN202111589872.2A patent/CN114338119B/en active Active
-
2022
- 2022-11-16 WO PCT/CN2022/132152 patent/WO2023116268A1/en unknown
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103236945A (en) * | 2013-04-08 | 2013-08-07 | 北京天地互连信息技术有限公司 | OpenFlow-based FlowVisor network system |
| CN103905523A (en) * | 2013-12-23 | 2014-07-02 | 浪潮(北京)电子信息产业有限公司 | Cloud computing network virtualization method and system based on SDN |
| US20160359736A1 (en) * | 2014-02-19 | 2016-12-08 | Huawei Technologies Co., Ltd. | Data Packet Forwarding Method, Apparatus, and System |
| CN106302220A (en) * | 2016-08-26 | 2017-01-04 | 北京工业大学 | A kind of method of SDN Precise control conventional switch |
| US20200267051A1 (en) * | 2017-10-06 | 2020-08-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Remotely controlling network slices in a network |
| CN112532445A (en) * | 2020-11-26 | 2021-03-19 | 国网江苏省电力有限公司信息通信分公司 | Network slicing method and system for network equipment without virtualization capability and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023116268A1 (en) * | 2021-12-23 | 2023-06-29 | 中国电信股份有限公司 | Network isolation method and system, and proxy device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338119B (en) | 2024-08-20 |
| WO2023116268A1 (en) | 2023-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10581801B2 (en) | Context-aware distributed firewall | |
| US9774707B2 (en) | Efficient packet classification for dynamic containers | |
| CN109474627B (en) | Virtual tenant network isolation method and system based on SDN | |
| CN114363021B (en) | Network target range system, virtual network implementation method and device of network target range system | |
| CN115174470B (en) | Logic router | |
| US11595503B2 (en) | Efficient packet classification for dynamic containers | |
| RU2571536C2 (en) | Method, system and controlling bridge for obtaining port extension topology information | |
| US10225183B2 (en) | System and method for virtualized receive descriptors | |
| KR20210095890A (en) | Logic routers with segmented network elements | |
| US10419365B2 (en) | Service insertion in basic virtual network environment | |
| US10877822B1 (en) | Zero-copy packet transmission between virtualized computing instances | |
| WO2021103657A1 (en) | Network operation method, apparatus, and device and storage medium | |
| CN106559339B (en) | A kind of message processing method and device | |
| WO2015187201A1 (en) | Use of stateless marking to speed up stateful firewall rule processing | |
| CN114338119B (en) | Network isolation method and system and proxy equipment | |
| US10374899B2 (en) | Method and device for reporting OpenFLow switch capability | |
| CN110505095B (en) | Method for building large-scale virtual data center by using small number of servers | |
| KR20180086964A (en) | Method for transmitting packet and openflow switch | |
| WO2016173196A1 (en) | Method and apparatus for learning address mapping relationship | |
| CN114629844B (en) | Message forwarding method and device and electronic equipment | |
| WO2015187200A1 (en) | Efficient packet classification for dynamic containers | |
| CN111654558B (en) | ARP interaction and intranet flow forwarding method, device and equipment | |
| CN114448886A (en) | Flow table processing method and device | |
| CN109039909B (en) | Message forwarding method and device | |
| CN115225708B (en) | Message forwarding method computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |