CN114928526A - Network isolation and resource planning method and system based on SDN - Google Patents

Network isolation and resource planning method and system based on SDN Download PDF

Info

Publication number
CN114928526A
CN114928526A CN202210121949.1A CN202210121949A CN114928526A CN 114928526 A CN114928526 A CN 114928526A CN 202210121949 A CN202210121949 A CN 202210121949A CN 114928526 A CN114928526 A CN 114928526A
Authority
CN
China
Prior art keywords
network
virtual
resource
virtual subnet
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210121949.1A
Other languages
Chinese (zh)
Other versions
CN114928526B (en
Inventor
谢坤
黄小红
李丹丹
刘威良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202210121949.1A priority Critical patent/CN114928526B/en
Publication of CN114928526A publication Critical patent/CN114928526A/en
Application granted granted Critical
Publication of CN114928526B publication Critical patent/CN114928526B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/044Network management architectures or arrangements comprising hierarchical management structures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • H04L41/5019Ensuring fulfilment of SLA
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/70Routing based on monitoring results
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to the network isolation and resource planning method and system based on the SDN, a network is divided into a plurality of virtual sub-networks by adopting a network virtualization technology, and logic communication isolation is formed. And setting network parameters according to the security requirement and the service requirement of the virtual subnet, when different services are required to be deployed in the virtual subnet, searching available resources for the virtual subnet on a physical layer according to a resource request generated by the services, and distributing the available resources to the virtual subnet through a master controller. The experience quality and the safety requirement of various services are guaranteed through a reasonable resource distribution mode, so that the service quality of the whole network is improved, and the information safety is guaranteed.

Description

Network isolation and resource planning method and system based on SDN
Technical Field
The present application relates to the field of communications technologies, and in particular, to a network isolation and resource planning method and system based on an SDN.
Background
With the development of network virtualization, software defined networking and other technologies, a next generation network needs to provide richer and more diverse service services for tenants with various identity types. Under the condition that equipment with various identity types is accessed to a network, a tenant network needs to be divided according to identity information of the equipment, various services have different flow characteristics and safety requirements on different tenant networks, and corresponding service experience in the network needs to be optimized as far as possible on the premise of ensuring data isolation and safe communication in the network among the tenant networks. When the logic subnet bursts flow or deploys different security policies, the transmission and network resource configuration requirements of the service application change dynamically, the dynamic changes of the service application and resource configuration requirements cause dynamic changes of the network environment, and the network operation and maintenance management becomes increasingly complex due to the dynamics of the network environment, the diversity of the equipment security requirements and the diversity of the flow.
In order to solve the problem of access security transmission of multi-identity type equipment, a traditional network isolation method mainly adopts a physical isolation method and a logic isolation method. However, the two isolation methods have the problems of static isolation, coarse-grained isolation, no support for modifying the virtual network during running, single security policy, not strong enough service adaptability, not flexible enough and the like.
Disclosure of Invention
In view of this, an object of the present application is to provide a network isolation and resource planning method and system based on an SDN.
Based on the above purpose, the present application provides a network isolation and resource planning method based on SDN, including:
dividing a network into a plurality of virtual subnets by adopting an address virtualization technology based on an SDN (software defined network);
respectively determining network parameters of each virtual subnet according to the security requirements and the service requirements of the virtual subnets, wherein the network parameters comprise a trigger request threshold, a release threshold and resource retention time;
in response to determining that a link with a traffic load degree exceeding the trigger request threshold exists in the virtual subnet, a sub-controller in the virtual subnet sends a resource request to a master controller;
in response to determining that the resource request is received, the overall controller allocates resources to the virtual subnet,
in response to determining that the remaining available network resources do not satisfy the resource request, the overall controller adjusts network parameters of the other virtual subnets,
in response to the determination that the remaining available network resources meet the resource request, the master controller obtains a recommended path of the resource request through calculation based on the resource request, pre-allocates the remaining available network resources to the virtual subnet according to the recommended path, and after the pre-allocated network maintaining time meets the resource maintaining time,
and in response to determining that a link with a traffic load degree not lower than the release threshold or zero exists in the virtual subnet, reserving the remaining available network resources pre-allocated in the virtual subnet.
Based on the same inventive concept, the application also provides a network isolation and resource planning system based on the SDN, which sequentially comprises a data forwarding layer, a network virtual layer, a control layer and an application layer from bottom to top,
the data forwarding layer is configured to access network devices with different identity categories through a switch, read a security policy table in the control layer through a communication module and encrypt a data communication process of the network devices;
the network virtualization layer is configured to manage a plurality of virtual subnets partitioned by an SDN-based address virtualization technique according to an identity class number of the network device;
the control layer comprises a plurality of sub-controllers and a master controller, so the sub-controllers correspond to the virtual subnets one by one and manage the virtual subnets, and the master controller manages all the sub-controllers;
the application layer comprises a CA authentication module, an identity calibration and access control module, a security policy deployment module, a network monitoring module and a resource allocation and maintenance module,
the CA authentication module is configured to perform identity verification on the network equipment through the control layer, the identity calibration and access control module is configured to perform identity calibration and access on the network equipment through the control layer, the security policy deployment module is configured to formulate the security policy table according to the security requirement and the service requirement of the virtual subnet and issue the security policy table to the control layer, the network monitoring module is configured to monitor the network state through the control layer, and the resource allocation and maintenance module is configured to allocate and maintain network resources through the control layer.
As can be seen from the above, according to the network isolation and resource planning method and system based on the SDN, a network is divided into a plurality of virtual subnets by using a network virtualization technology, so as to form logical communication isolation. And setting network parameters according to the security requirement and the service requirement of the virtual subnet, searching available resources for the virtual subnet on a physical layer according to a resource request generated by the service when different services need to be deployed in the virtual subnet, and distributing the available resources to the virtual subnet through a master controller. The experience quality and the safety requirement of various services are guaranteed through a reasonable resource distribution mode, so that the service quality of the whole network is improved, and the information safety is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the related art, the drawings needed to be used in the description of the embodiments or the related art will be briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a network isolation and resource planning method based on SDN according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a DDPG algorithm calculation flow according to an embodiment of the present application;
FIG. 3 is a schematic structural diagram of a DDPG module according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a system for network isolation and resource planning based on SDN according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below with reference to the accompanying drawings in combination with specific embodiments.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present application belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As described in the background art, when a network needs to access a multi-class device and carry multi-class service data, especially in a differentiated communication scenario that mutual isolation needs to be performed based on the identity class of the device and the communication security level corresponding to the identity class, a security isolation control mechanism for dynamic slice planning and data transmission of network resources is provided, a scheme for deploying different security policies for a virtual subnet is lacked in the conventional network isolation, and the security policy of the virtual subnet does not adapt to the security and the service requirements of the subnet, thereby causing information security risk or service quality degradation; for different services and security policies in different virtual subnets, the subnets need different amounts of resources to support the services, and maintaining the original resource configuration may cause the performance of the subnets to be affected. Most of the existing resource scheduling schemes are static or link-level adjustment, a more complete and systematic solution is not available, and flexible and fine-grained resource scheduling and differentiated security policy deployment are difficult to realize; most network isolation technologies have difficulty supporting network hot-fix, i.e., runtime guaranteed traffic. Therefore, it is very important to design a scheme capable of accessing a network and performing data isolation for multiple types of identity devices, and performing multi-level security policy deployment as required and adaptive network resource dynamic scheduling to ensure better network resource utilization rate, service quality and tenant service experience.
In order to better understand the embodiments provided in the present application, terms referred to in the present application are explained below.
1. Software defined network
Software Defined network (sdn) (software Defined network) is a novel network architecture, which separates a control plane from a data plane of a network, and control functions of the network are not separately calculated by switching devices, but are centralized on one controller for unified calculation, and the controller issues control strategies in a centralized manner. In the SDN scenario, an interface where the control plane interacts with an upper network application is referred to as a northbound interface nbi (northbound interface), and an interface where the control plane interacts with a lower data plane is referred to as a southbound interface sbi (southbound interface). The network application or the user can interact with the controller through the NBI, and then the whole network is controlled. The SDN endows the network with high programmability, improves the flexibility of network scheduling, and has natural combinability with artificial intelligence-based network management and control.
2. Network virtualization technology
The virtualization technology is a technology for abstract management of resources, the network virtualization technology is that a plurality of virtual networks which are isolated from each other and have different topology types are created on the basis of a bottom-layer physical network through the virtualization technology, and different virtual networks can run different control strategies and network protocols, so that differentiated services are provided. The SDN-based network virtualization technology architecture comprises three layers, namely an infrastructure layer, a control layer and a service layer. The infrastructure layer provides shared physical resources for realizing network virtualization; the control layer controls the virtual network, monitors the real-time states of the virtual network and the physical network, completes the creation, deletion, management and the like of the virtual network, provides an open programmable interface and realizes the decoupling of the virtual network and the physical network; in a service layer, a service customizes a network according to user requirements, the network is visible to tenants, and networks of different tenants are highly isolated.
3. Information encryption technology
The information encryption technology is a technology for protecting electronic information during transmission and in a storage body by using mathematical or physical means so as to prevent leakage. The symmetric encryption technique employs an encryption method of a single-key cryptosystem, in which the same key can be used for both encryption and decryption of information, and this encryption method is also called single-key encryption. Asymmetric encryption requires two keys: a public key and a private key. The public key and the private key are a pair, and if data is encrypted with the public key, only the corresponding private key can be used for decryption. If the data is encrypted with the private key, it can only be decrypted with the corresponding public key. Since different keys are used for encryption and decryption, it is called asymmetric encryption. The asymmetric encryption is usually based on RSA algorithm, Elgamal algorithm, knapsack algorithm, Rabin algorithm, D-H key exchange algorithm, ECC algorithm, etc. Asymmetric encryption improves security but the algorithm is less complex and efficient.
4. Network routing algorithm
Network routing modes are divided into static routing and dynamic routing. The static routing protocol is manually input and configured by a network administrator, and is suitable for small-sized and less complex network environments or network scenes with specific requirements. Dynamic routing protocols are one of the most common of the modern computer networks. The dynamic routing algorithm can adapt to the change of the flow according to the network topology structure. Distance Vector Routing algorithm (Distance Vector Routing), which is the earliest used dynamic Routing algorithm on the network, is also called Bellman-Ford or Ford-Fulkerson algorithm. Protocols implemented based on such algorithms are: RIP protocol, BGP protocol, etc. A Link State Routing algorithm (Link State Routing) is based on Dijkstra algorithm, a graph theory is used as a theoretical basis, a network topology structure is represented by a graph, and the optimal Routing among networks is calculated by a shortest path algorithm in the graph theory. Protocols implemented based on such algorithms are: OSPF protocol, etc.
5. Deep reinforcement learning
The deep reinforcement learning combines the perception capability of the deep learning and the decision capability of the reinforcement learning, can be directly controlled according to the input image, and is an artificial intelligence method closer to the human thinking mode. Deep learning is a machine learning algorithm mainly using a deep neural network as a tool, and complex classification and other learning tasks can be completed by a simple model after initial low-level feature representation is converted into high-level feature representation by building a multilayer neural network. Thus, deep learning can be understood as "feature learning" or "representation learning". The reinforcement learning task is typically described using a Markov decision process, with the AI in an environment, and each state being the AI's perception of the environment. When the AI performs an action, the environment is transitioned probabilistically to another state; at the same time, the environment gives the AI a feedback based on the reward function. In summary, reinforcement learning mainly includes four elements: state, action, transition probability, and reward function.
6. The DQN (Deep Q-Learning) algorithm can directly learn the value function of the continuous state space, but the algorithm has a limitation that it can only complete the reinforcement Learning task of discrete action. The DDPG algorithm inherits the advantages of the DQN algorithm, and simultaneously, a strategy network is added to directly predict the optimal action corresponding to each state, so that the continuous action space is directly controlled by continuous actions. The DDPG algorithm applies an Actor Critic (AC) framework, an Actor network is used for generating actions, the Critic network is used for evaluating the quality of the actions, the two networks are simultaneously evolved in the learning process, the Critic network is updated in a DQN mode, and the Actor network is updated in a strategy gradient mode.
Embodiments of the present application are described in detail below with reference to the accompanying drawings.
The application provides a network isolation and resource planning method based on an SDN, which, with reference to fig. 1, includes the following steps:
step S101, dividing a network into a plurality of virtual subnets by adopting an address virtualization technology.
Specifically, physical topology detection is performed according to a flow table issued by a network virtual layer, physical port slicing is performed on a network edge switch after detection is completed, and available ports of the switch are mapped to different virtual subnets. At this time, there is no resource in each virtual subnet, and each virtual subnet has its specific prefix as a virtual network address when formed, so as to complete logical plane isolation.
In some embodiments, port mapping is performed on the edge side, and dedicated 'important' virtual links are mapped for virtual subnets with high security requirements, the links are selected through an ant colony algorithm, the links do not participate in network bandwidth resource scheduling, and a network manager can perform custom modification on dedicated links under the virtual subnets through a network virtual layer northbound interface API.
In addition, in the virtual subnet with high security, in order to avoid the potential information leakage risk of the network itself, the following security policies may be deployed: determining OpenFlow protocol versions used by a switch and a sub-controller in a virtual subnet; the sub-controller sends a request to obtain the configuration information of the switch; the sub-controller sends an authentication request to the switch, generates a session key by using the DPID after the request is successful and sends the session key to the switch for verification, and terminates the session if the request is failed; the switch verifies the key sent by the sub-controller, sends an authentication result response to the sub-controller after the verification is successful, the sub-controller judges the authentication result according to the response result, if the authentication is successful, the subsequent message is encrypted by using the session key, and if the authentication is failed, the session is terminated.
Step S102, respectively determining the network parameters of each virtual sub-network according to the security requirement and the service requirement of the virtual sub-network, wherein the network parameters comprise a trigger request threshold, a release threshold and resource holding time.
Specifically, for each virtual subnet, the security requirement and the service requirement are different, so that the network parameters of the virtual subnet need to be set in a targeted manner. Services and security strategies in different virtual subnets are not used, and a differentiated communication scene provided with a security isolation control mechanism can be provided for users.
And S103, responding to the fact that the link with the flow load degree exceeding the trigger request threshold exists in the virtual subnet, and sending a resource request to a master controller by a sub-controller in the virtual subnet.
When a certain virtual subnet in the network is accessed to service flow, the flow load degree of the virtual subnet is calculated through a control layer in the network, if the load degree of one or more virtual links in the virtual subnet exceeds a trigger request threshold preset by the virtual subnet, a sub-controller in the virtual subnet sends a resource request to a master controller, the resource request is a link resource request which takes s as a source node and t as a destination node, and because the link between the s node and the t node is overloaded in the current network state, the two nodes send the resource request to the master controller.
Step S104, responding to the resource request, the total controller allocates resources to the virtual subnet, responding to the determination that the remaining available network resources do not satisfy the resource request, the overall controller adjusts network parameters of the other virtual subnets, responsive to determining that the remaining available network resources satisfy the resource request, the total controller obtains the recommended path of the resource request through calculation based on the resource request, and pre-allocating the remaining available network resources to the virtual subnet according to the recommended path, and after the pre-allocated network maintenance time meets the resource holding time, and in response to determining that a link with a traffic load degree not lower than the release threshold or zero exists in the virtual subnet, reserving the remaining available network resources pre-allocated in the virtual subnet.
Specifically, after receiving the resource request, the master controller determines the remaining available network resources that are maintained, and if the remaining available network resources do not satisfy the resource request, the master controller is required to adjust the network parameters of all the virtual subnets, and hopefully, some network resources are released to the virtual subnet that sends the resource request through other virtual subnets. And if the current remaining available network resources meet the resource request, performing resource allocation on the virtual subnet sending the resource request on the basis of the remaining available network resources. The master controller needs to perform optimization calculation according to a source node and a destination node in the resource request, find a proper recommended path, pre-allocate the remaining available network resources to the virtual subnet according to the recommended path, and after the pre-allocation, and when the network maintenance time meets the resource holding time, if a link with a traffic load degree not lower than the release threshold or zero exists in the virtual subnet, that is, it is said that the network resources in the virtual subnet are all effectively utilized, the remaining available network resources that have been pre-allocated are held in the virtual subnet.
In some embodiments, the dividing the network into a plurality of virtual subnets by using the address virtualization technology includes: and acquiring the number of the identity types of network equipment to be accessed into the network, and dividing the network based on the number of the identity types to obtain a plurality of virtual subnets.
Specifically, the network is divided according to the number of the identity categories of the network devices to be accessed to the network, the number of the obtained virtual subnets is equal to the number of the identity categories, and if the number of the identity categories of the network devices added to the network to be accessed is 3, the number of the virtual subnets obtained by dividing is also 3. Different identity classes of the network equipment can correspondingly process different services, the requirements of the different services on network security can be different, the virtual subnets are divided according to the identity classes, and the virtual subnets can be correspondingly distributed to the matched virtual subnets when the different services are accessed, so that the experience quality of a user can be improved, and the service quality of the whole network can be improved.
In some embodiments, accessing the network device into a network comprises: in response to the fact that the network equipment is not accessed into the network for the first time, the network equipment performs identity authentication through a total CA authentication server, and after the identity authentication is passed, a public key of the network equipment is sent to the total controller; and distributing the corresponding virtual subnet for the network equipment through the master controller according to the prefix of the public key, and distributing certain bandwidth resources for the network equipment to a virtual link connected with the network equipment.
Specifically, a network device that has ever accessed the network has a corresponding key pair, which is a public key and a private key. The prefix of the public key is associated with the address of the virtual subnet, so that the matching virtual subnet can be found by the prefix of the public key. When the network device is accessed to the network again, the identity of the network device needs to be verified through the general CA authentication server, that is, the digital certificate of the network device is checked, wherein the digital certificate is obtained when the network device is accessed to the network for the first time.
In some embodiments, in response to determining that the network device is first accessed into a network, the network device sends a registration request to the overall controller, the request being passed before a digital certificate and key pair is sent by the overall CA authentication server to the network device; and the network equipment sends the public key in the key pair to the master controller, and distributes the corresponding virtual subnet to the network equipment through the master controller according to the prefix of the public key.
Specifically, when a network device is first accessed to the network, a registration request needs to be sent to the master controller, and after the request is successful, the master CA authentication server issues a digital certificate and a key pair. The key pair comprises a public key and a private key, the public key is sent to the master controller, the master controller allocates a corresponding virtual subnet for the network device according to the prefix of the public key, and allocates a certain bandwidth resource for the network device to a virtual link connected with the network device.
In some embodiments, when the network device performs data communication in a network, the network device and a service traffic generated by performing the data communication are encrypted according to a security requirement of the virtual subnet in which the network device is located.
Specifically, the security requirement and the service requirement of each virtual subnet are different, and after accessing a specific service flow, the identity of the network device participating in data communication needs to be verified according to a pre-established security policy table, and meanwhile, the service flow needs to be encrypted. The security policy table is constructed based on security requirements and business requirements of different virtual subnets, and the security policy table is stored in a database of the SDN network. And reading the security policy table by the sub-controller of each virtual subnet, and correspondingly executing the security policy. The purpose of deploying different security strategies for different service flows is achieved, and a differentiated security scheme is achieved.
In some embodiments, the encrypting the network device and the traffic generated by performing the data communication according to the security requirement of the virtual subnet in which the network device is located includes:
in response to determining that the security requirement is a first requirement, the sub-controller performs authentication on the network device performing the data communication and performs asymmetric encryption processing on the service traffic;
and when the safety requirement is determined to be a second requirement, the sub-controller performs identity verification on the network equipment performing the data communication and performs symmetric encryption processing on the service flow.
Specifically, the security requirements of the virtual subnets are divided into three levels, which are a virtual subnet with high security requirements, a virtual subnet with general security requirements, and a virtual subnet with low security requirements. For a virtual subnet with high security requirement, namely when the security requirement is the first requirement, before the data communication is started, in the communication process and after the communication is finished each time, an authentication request is issued by a sub-controller, the communication is suspended, the identity of the network equipment for data communication is verified, and the digital certificates of both communication parties are checked. In addition, the service flow is encrypted through a key pair of the network equipment so as to ensure the security of the communication content of both communication parties. For a virtual subnet with a general security requirement, that is, when the security requirement is the second requirement, before and after the data communication is started and ended each time, an authentication request is issued by a sub-controller, the communication is suspended, the identity of the network equipment performing the data communication is verified, and the digital certificates of both communication parties are checked. In addition, a symmetric encryption algorithm and a key are generated through the control plane and are used for symmetrically encrypting the service flow. And encrypting and decrypting the service flow through the key so as to ensure the security of the communication contents of the two communication parties. For the virtual sub-network with low safety requirement, the corresponding processing of the network equipment and the service flow for communication is not needed.
Under the scene of asymmetric encryption, the network device newly accessed into the virtual subnet broadcasts the public key of the network device, other network devices in the virtual subnet reply the public key of the network device after receiving the public key, and the public keys of other network devices in the virtual subnet are maintained in the sub CA authentication server in the virtual subnet.
In some embodiments, the overall controller obtains the recommended path of the resource request by calculating based on the resource request, including: and obtaining a current path through a Dijkstra algorithm according to a link endpoint in the resource request, and obtaining the recommended path through a depth deterministic strategy gradient algorithm DDPG based on the current path.
Specifically, a shortest end-to-end path is generated by a Dijkstra algorithm as a current solution, and then iteration is performed by adopting a DDPG algorithm on the basis of a current solution space until an optimal end-to-end equivalent path is obtained as the recommended path. The finding of the best path by the DDPG algorithm is specifically described below with reference to fig. 2 and fig. 3, where fig. 2 is a flowchart of the DDPG algorithm, fig. 3 is a block diagram of the DDPG algorithm,
the inputs to the algorithm are:
the parameters of the Actor online network, the Actor target network, the Critic online network and the Critic target network are theta, theta ', omega and omega', respectively, an attenuation factor gamma, a soft update coefficient tau, a sample number m of batch gradient decrease, a target Q network parameter update frequency C, a maximum iteration number T and a random noise function
Figure BDA0003498667440000103
The output terms of the algorithm are:
an optimal Actor online network parameter theta, a Critic online network parameter omega;
the specific flow of the algorithm is as follows:
step S201, initializing θ, ω ═ ω, θ ═ θ, and emptying the set D of empirical replays;
step S202, in the maximum iteration times, iteration is carried out according to the following steps:
step S2021, obtaining the latest network state, including the demand matrix of the virtual subnet to be optimized and other background flows existing in the network, initializing S as the first state of the current state sequence, and taking the characteristic vector phi (S) of the state sequence;
step S2022, obtaining action based on state S in Actor online network
Figure BDA0003498667440000101
The action is a floating point array, the value of each member is between 0 and 1, and the size of the array is +1 of the application quantity of end-to-end bandwidth resources in the virtual subnet. The first number of the array represents the bandwidth weight, and the multiplication of the number and the service bandwidth upper limit is the bandwidth allocated to the resource application in the path planning strategy;
step S2023, executing action A in the network simulation environment to obtain new state S', obtaining reward R, and determining whether to terminate state is _ end, wherein
Figure BDA0003498667440000102
k is the number of virtual subnets, w i For the ith virtual subnet importance weight, all w i And is 1, R i =w j min(c i -α,β-c i )+w m (d i -t i )+w n r, wherein w j +w m +w n =1,c i For the average load of the path during transmission, d i To a degree of resource dispersion, t i The average hop count of the bandwidth is represented, and r represents the remaining situation of the whole network resources;
step S2024, storing the quintuple of { phi (S), A, R, phi (S '), is _ end } into an empirical playback set D, wherein phi (S ') is a feature vector of the state S ';
step S2025, state transition S ═ S';
step S2026, sample m samples φ from the empirical playback set D (S) j ),A j ,R j ,φ(S j ′),is_end j J equals 1,2, …, m, and the current target Q value y is calculated j
Figure BDA0003498667440000111
Step S2027, using the mean square error loss function
Figure BDA0003498667440000112
Figure BDA0003498667440000113
Updating all parameters omega of the criticic network through gradient back propagation of the neural network;
step S2028, use
Figure BDA0003498667440000114
Updating all parameters theta of the Actor online network through gradient back propagation of the neural network;
step S2029, if T% C is 1, updating the Critic target network and Actor target network parameters:
ω′←τω+(1-τ)ω′
θ′←τθ+(1-τ)θ′
step S20210, if S' is the termination state, the current iteration is finished, otherwise go to step S2022.
In summary, as shown in fig. 2, the Actor network and the Critic network are initialized, when the preset maximum number of iterations is not reached, an action is obtained according to the current network state, the action is executed in the network simulator or the test environment, the empirical playback pool is updated based on the action and the state, iteration is continued until the maximum number of iterations is reached, the optimal planning scheme is returned, and the whole algorithm is ended. As shown in fig. 3, the Actor module generates an action according to the network state, the action is placed in a test network for testing, the test network gives out a corresponding reward based on the performance evaluation index, the reward is fed back to the Critic module to generate a new evaluation, the new state and the new evaluation are continuously generated in an iteration period, and the best resource planning is returned to the real network after the iteration times are reached.
And obtaining the recommended path based on the algorithm process. Fine-grained resource adjustment such as link bandwidth and port is carried out according to the network load condition of each logic virtual subnet by adopting a deep reinforcement learning mode, the limitation that the traditional technology does not support resource planning thermal modification is eliminated, and a path planning strategy is adjusted in real time to adapt to the dynamically changing network environment and security strategy requirements.
In some embodiments, in response to determining that there is a link with a traffic load degree lower than the release threshold in the virtual subnet, the overall controller performs resource recovery on the idle resource in the virtual subnet until there is a link with a traffic load degree not lower than the release threshold or a traffic load degree of zero in the virtual subnet, where a network maintenance time before performing the resource recovery satisfies the resource retention time.
Specifically, when the traffic load degree in the virtual subnet is calculated, it is found that a link lower than the release threshold exists, resource recovery needs to be performed on the idle resource in the virtual subnet, then the network continues to maintain for a period of resource retention time, the traffic load degree in the current virtual subnet is recalculated, if a link lower than the release threshold exists, resource recovery continues to be performed on the idle resource in the virtual subnet until a link whose traffic load degree is not lower than the release threshold or whose traffic load degree is zero exists in the virtual subnet, and it is required to ensure that the network retention time meets the resource retention time before resource recovery is performed each time. The resource recovery can better ensure the utilization rate of network resources, fully utilize the network resources, improve the service quality and the service experience of users, and avoid the waste and the idle of the network resources.
In some embodiments, said overall controller adjusts network parameters of other said virtual subnets, including: and the total controller reduces the release threshold and the resource holding time of other virtual subnets according to the security requirement. The master controller adjusts network parameters of some virtual subnets with low safety performance requirements or low priority, including reducing release threshold and resource retention time, so as to enable some virtual subnets to release some network resources, and allocate the released network resources to the virtual subnets which provide resource applications, so as to reasonably utilize the network resources and reasonably plan the overall network resources.
In addition, even when no service flow is accessed into the network, each sub-controller constantly monitors the network flow load degree in the corresponding virtual sub-network, and when the network flow load degree reaches a self-triggering request threshold value, the sub-controllers form a demand matrix in the form of source nodes, target nodes and demand bandwidth to send a resource request to the master controller; when the network flow load degree reaches the self release threshold value, the sub-controllers form a demand matrix in the form of a source node, a target node and a release bandwidth to send a release request to the master controller.
Based on the same inventive concept, referring to fig. 4, the present application further provides a network isolation and resource planning system based on SDN, which sequentially comprises a data forwarding layer, a network virtual layer, a control layer and an application layer from bottom to top,
the data forwarding layer is configured to access network devices with different identity categories through a switch, read a security policy table in the control layer through a communication module and encrypt a data communication process of the network devices;
the network virtualization layer is configured to manage a plurality of virtual subnets partitioned by an SDN-based address virtualization technology according to the number of identity categories of the network device;
the control layer comprises a plurality of sub-controllers and a master controller, so the sub-controllers correspond to the virtual subnets one by one and manage the virtual subnets, and the master controller manages all the sub-controllers;
the application layer comprises a CA authentication module, an identity calibration and access control module, a security policy deployment module, a network monitoring module and a resource allocation and maintenance module,
the CA authentication module is configured to perform identity verification on the network equipment through the control layer, the identity calibration and access control module is configured to perform identity calibration and access on the network equipment through the control layer, the security policy deployment module is configured to formulate the security policy table according to the security requirement and the service requirement of the virtual subnet and issue the security policy table to the control layer, the network monitoring module is configured to monitor the network state through the control layer, and the resource allocation and maintenance module is configured to allocate and maintain network resources through the control layer.
The network isolation and resource planning system based on the SDN is mainly applied to the fact that network equipment with various identity categories is accessed to a data forwarding layer and shares data, the network equipment accessed to the system is isolated on a network virtual layer, firstly, a virtualization technology based on the SDN is adopted to conduct isolation according to the identity categories of the network equipment, corresponding safety strategies are deployed according to requirements and service types of virtual subnets, a control layer monitors network state information in real time, resource planning strategies are issued based on the network flow load degree, and the resource planning strategies are implemented on the network. When the network device or the service flow is accessed to the network, the relevant function module in the application layer is called correspondingly, and then the controller deployed in the control layer executes the function, for example, the identity of the network device with the CA authentication module degree is called for verification, and the like.
It should be noted that the method of the embodiment of the present application may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the multiple devices may only perform one or more steps of the method of the embodiment, and the multiple devices interact with each other to complete the method.
It should be noted that the foregoing describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present application are intended to be included within the scope of the present application.

Claims (10)

1. A network isolation and resource planning method based on an SDN is characterized by comprising the following steps:
dividing a network into a plurality of virtual subnets by adopting an address virtualization technology based on an SDN (software defined network);
respectively determining network parameters of each virtual subnet according to the security requirements and the service requirements of the virtual subnets, wherein the network parameters comprise a trigger request threshold value, a release threshold value and resource retention time;
in response to determining that a link with a traffic load degree exceeding the trigger request threshold exists in the virtual subnet, a sub-controller in the virtual subnet sends a resource request to a master controller;
in response to determining that the resource request is received, the overall controller allocates resources to the virtual subnet,
in response to determining that the remaining available network resources do not satisfy the resource request, the overall controller adjusts network parameters of the other virtual subnets,
in response to the determination that the remaining available network resources meet the resource request, the master controller obtains a recommended path of the resource request through calculation based on the resource request, pre-allocates the remaining available network resources to the virtual subnet according to the recommended path, and after the pre-allocated network maintaining time meets the resource maintaining time,
and in response to determining that a link with a traffic load degree not lower than the release threshold or zero exists in the virtual subnet, reserving the remaining available network resources pre-allocated in the virtual subnet.
2. The method of claim 1, wherein the partitioning the network into a plurality of virtual subnets using address virtualization technology comprises:
and acquiring the number of the identity types of network equipment to be accessed into the network, and dividing the network based on the number of the identity types to obtain a plurality of virtual subnets.
3. The method of claim 2, wherein accessing the network device into a network comprises:
in response to determining that the network device is not first accessed into the network,
the network equipment performs identity authentication through a total CA authentication server, and sends a public key of the network equipment to the total controller after the network equipment passes the authentication;
and distributing the corresponding virtual subnets for the network equipment through the master controller according to the prefix of the public key.
4. The method of claim 3, further comprising:
in response to determining that the network device is first accessed into the network,
the network equipment sends a registration request to the master controller, and the master CA authentication server sends a digital certificate and a key pair to the network equipment after the request passes;
and the network equipment sends the public key in the key pair to the master controller, and distributes the corresponding virtual subnet to the network equipment through the master controller according to the prefix of the public key.
5. The method according to claim 3 or 4, wherein when the network device performs data communication in a network, the network device and traffic generated by performing the data communication are encrypted according to security requirements of the virtual subnet in which the network device is located.
6. The method according to claim 5, wherein the encrypting the network device and the traffic generated by the data communication according to the security requirement of the virtual subnet in which the network device is located comprises:
when the safety requirement is determined to be a first requirement, the sub-controller performs identity verification on the network equipment performing the data communication and performs asymmetric encryption processing on the service flow;
and when the safety requirement is determined to be a second requirement, the sub-controller performs identity verification on the network equipment performing the data communication and performs symmetric encryption processing on the service flow.
7. The method of claim 1, wherein the overall controller obtains the recommended path of the resource request by calculating based on the resource request, including:
and obtaining a current path through a Dijkstra algorithm according to a link endpoint in the resource request, and obtaining the recommended path through a depth deterministic strategy gradient algorithm DDPG based on the current path.
8. The method of claim 1, further comprising:
in response to determining that the link with the traffic load degree lower than the release threshold exists in the virtual subnet, the master controller performs resource recovery on the idle resources in the virtual subnet until the link with the traffic load degree not lower than the release threshold or the traffic load degree zero exists in the virtual subnet,
wherein a network maintenance time before the resource reclamation is performed satisfies the resource holding time.
9. The method of claim 1, wherein the overall controller adjusts network parameters of other virtual subnets, including: and the master controller reduces the release threshold and the resource holding time of other virtual subnets according to the security requirement.
10. A network isolation and resource planning system based on SDN is characterized by comprising a data forwarding layer, a network virtual layer, a control layer and an application layer from bottom to top in sequence,
the data forwarding layer is configured to access network devices with different identity categories through a switch, read a security policy table in the control layer through a communication module and encrypt a data communication process of the network devices;
the network virtualization layer is configured to manage a plurality of virtual subnets partitioned by an SDN-based address virtualization technology according to the number of identity categories of the network device;
the control layer comprises a plurality of sub-controllers and a master controller, so the sub-controllers correspond to the virtual subnets one by one and manage the virtual subnets, and the master controller manages all the sub-controllers;
the application layer comprises a CA authentication module, an identity calibration and access control module, a security policy deployment module, a network monitoring module and a resource allocation and maintenance module,
the CA authentication module is configured to perform identity verification on the network equipment through the control layer, the identity calibration and access control module is configured to perform identity calibration and access on the network equipment through the control layer, the security policy deployment module is configured to formulate the security policy table according to the security requirement and the service requirement of the virtual subnet and issue the security policy table to the control layer, the network monitoring module is configured to monitor the network state through the control layer, and the resource allocation and maintenance module is configured to allocate and maintain network resources through the control layer.
CN202210121949.1A 2022-02-09 2022-02-09 SDN-based network isolation and resource planning method and system Active CN114928526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210121949.1A CN114928526B (en) 2022-02-09 2022-02-09 SDN-based network isolation and resource planning method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210121949.1A CN114928526B (en) 2022-02-09 2022-02-09 SDN-based network isolation and resource planning method and system

Publications (2)

Publication Number Publication Date
CN114928526A true CN114928526A (en) 2022-08-19
CN114928526B CN114928526B (en) 2023-06-16

Family

ID=82805633

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210121949.1A Active CN114928526B (en) 2022-02-09 2022-02-09 SDN-based network isolation and resource planning method and system

Country Status (1)

Country Link
CN (1) CN114928526B (en)

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015117385A1 (en) * 2014-07-25 2015-08-13 中兴通讯股份有限公司 Network virtualization processing method, device and system
CN105099950A (en) * 2014-04-17 2015-11-25 华为技术有限公司 Resource allocation method, message communication method and devices
CN106789707A (en) * 2016-11-28 2017-05-31 北京邮电大学 A kind of software definition Packet Transport Network overall situation service dynamic optimization method and device
CN106879073A (en) * 2017-03-17 2017-06-20 北京邮电大学 The network resource allocation method and device of a kind of service-oriented physical network
CN107222353A (en) * 2017-07-11 2017-09-29 中国科学技术大学 The unrelated software defined network virtual management platform of supported protocol
CN107347021A (en) * 2017-07-07 2017-11-14 西安交通大学 One kind is based on SDN method for reliable transmission
US20180026911A1 (en) * 2016-07-25 2018-01-25 Cisco Technology, Inc. System and method for providing a resource usage advertising framework for sfc-based workloads
WO2018086569A1 (en) * 2016-11-10 2018-05-17 北京大学(天津滨海)新一代信息技术研究院 Dynamic sdn configuration method based on application awareness of virtual network
CN108718244A (en) * 2017-12-20 2018-10-30 北京时代民芯科技有限公司 A kind of frame of reference and method for multi-service fusion
US20190097838A1 (en) * 2017-09-26 2019-03-28 Oracle International Corporation Virtual interface system and method for multi-tenant cloud networking
CN109565467A (en) * 2016-08-05 2019-04-02 华为技术有限公司 The virtual network of the flow forwarding based on service is supported to be pre-configured
CN109743261A (en) * 2019-01-07 2019-05-10 中国人民解放军国防科技大学 SDN-based container network resource scheduling method
CN110048869A (en) * 2018-01-16 2019-07-23 中国科学院沈阳自动化研究所 Resource allocation methods and system towards industrial time-sensitive software defined network
CN112235836A (en) * 2020-11-17 2021-01-15 上海交通大学 Industrial edge network system architecture and resource scheduling method
CN112822050A (en) * 2021-01-05 2021-05-18 北京信息科技大学 Method and apparatus for deploying network slices
CN114021056A (en) * 2021-11-01 2022-02-08 国网辽宁省电力有限公司 Dynamic partitioning method and partitioning system for ICT (information communication technology) resource link virtual operation platform

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105099950A (en) * 2014-04-17 2015-11-25 华为技术有限公司 Resource allocation method, message communication method and devices
WO2015117385A1 (en) * 2014-07-25 2015-08-13 中兴通讯股份有限公司 Network virtualization processing method, device and system
US20180026911A1 (en) * 2016-07-25 2018-01-25 Cisco Technology, Inc. System and method for providing a resource usage advertising framework for sfc-based workloads
CN109565467A (en) * 2016-08-05 2019-04-02 华为技术有限公司 The virtual network of the flow forwarding based on service is supported to be pre-configured
WO2018086569A1 (en) * 2016-11-10 2018-05-17 北京大学(天津滨海)新一代信息技术研究院 Dynamic sdn configuration method based on application awareness of virtual network
CN106789707A (en) * 2016-11-28 2017-05-31 北京邮电大学 A kind of software definition Packet Transport Network overall situation service dynamic optimization method and device
CN106879073A (en) * 2017-03-17 2017-06-20 北京邮电大学 The network resource allocation method and device of a kind of service-oriented physical network
CN107347021A (en) * 2017-07-07 2017-11-14 西安交通大学 One kind is based on SDN method for reliable transmission
CN107222353A (en) * 2017-07-11 2017-09-29 中国科学技术大学 The unrelated software defined network virtual management platform of supported protocol
US20190097838A1 (en) * 2017-09-26 2019-03-28 Oracle International Corporation Virtual interface system and method for multi-tenant cloud networking
CN108718244A (en) * 2017-12-20 2018-10-30 北京时代民芯科技有限公司 A kind of frame of reference and method for multi-service fusion
CN110048869A (en) * 2018-01-16 2019-07-23 中国科学院沈阳自动化研究所 Resource allocation methods and system towards industrial time-sensitive software defined network
CN109743261A (en) * 2019-01-07 2019-05-10 中国人民解放军国防科技大学 SDN-based container network resource scheduling method
CN112235836A (en) * 2020-11-17 2021-01-15 上海交通大学 Industrial edge network system architecture and resource scheduling method
CN112822050A (en) * 2021-01-05 2021-05-18 北京信息科技大学 Method and apparatus for deploying network slices
CN114021056A (en) * 2021-11-01 2022-02-08 国网辽宁省电力有限公司 Dynamic partitioning method and partitioning system for ICT (information communication technology) resource link virtual operation platform

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
KUN XIE等: "Utility-Optimized Resource Allocation in Computing- Aware Networks", 《2021 13TH INTERNATIONAL CONFERENCE ON COMMUNICATION SOFTWARE AND NETWORKS》 *
肖扬;吴家威;李鉴学;刘军;: "一种基于深度强化学习的动态路由算法", 信息通信技术与政策, no. 09 *
胡敏;陈元会;黄宏程;: "基于位置的社交网络中基于时空关系的超网络链接预测方法", 计算机应用, no. 06 *
高健: "基于资源分配和路由联合优化 5G 核心 网切片算法研究", 《万方期刊数据库》 *
黄小红等: "基于 SDN 的跨 IP协议的流量调度优化模型", 《东南大学学报》, vol. 47, pages 35 - 38 *

Also Published As

Publication number Publication date
CN114928526B (en) 2023-06-16

Similar Documents

Publication Publication Date Title
Vassilaras et al. The algorithmic aspects of network slicing
Wu et al. Big data analysis-based secure cluster management for optimized control plane in software-defined networks
Rischke et al. QR-SDN: Towards reinforcement learning states, actions, and rewards for direct flow routing in software-defined networks
Jang et al. Joint optimization of service function placement and flow distribution for service function chaining
Rath et al. Optimal controller placement in Software Defined Networks (SDN) using a non-zero-sum game
Grosu et al. Noncooperative load balancing in distributed systems
US20210075789A1 (en) Apparatus to automatically establish or modify mutual authentications amongst the components in a software defined networking (sdn) solution
Ibrahim et al. Heuristic resource allocation algorithm for controller placement in multi-control 5G based on SDN/NFV architecture
CN112769550B (en) Load balancing quantum key resource distribution system facing data center
CN112737776B (en) Data center-oriented quantum key resource allocation method for load balancing
Nguyen et al. Parallel and distributed resource allocation with minimum traffic disruption for network virtualization
Ghai et al. A stable matching based algorithm to minimize the end-to-end latency of edge nfv
Nam et al. Joint network embedding and server consolidation for energy–efficient dynamic data center virtualization
Pagar et al. Load balancing of fog computing centre and its security using elliptic curve cryptography
Chaudhary et al. PARC: Placement availability resilient controller scheme for software-defined datacenters
Patil Load balancing approach for finding best path in SDN
Zhao et al. On virtual network reconfiguration in hybrid optical/electrical datacenter networks
Nasiri et al. Distributed virtual network embedding for software-defined networks using multiagent systems
Abouelela et al. Multidomain hierarchical resource allocation for grid applications
CN114928526B (en) SDN-based network isolation and resource planning method and system
Zhao et al. On the parallel reconfiguration of virtual networks in hybrid optical/electrical datacenter networks
Pham et al. Dynamic controller/switch mapping in virtual networks service chains
Aytaç et al. Authenticated quality of service aware routing in software defined networks
Han et al. Parallel network slicing for multi-sp services
Femminella et al. Attribute-Based Management of Secure Kubernetes Cloud Bursting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant