Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides an SFC implementation method and device based on SRv6 in a private cloud.
The embodiment of the invention provides an SFC implementation method based on SRv6 in a private cloud, which comprises the following steps:
when receiving service configuration information of an SFC service chain, generating a corresponding service chain rule according to the service configuration information, sending the service chain rule to an OVS (operation and maintenance system), and generating a service chain information table and a corresponding datapath flow table by the OVS according to the service chain rule;
based on the first service node in the service configuration information, sending a corresponding data packet to the OVS, and detecting whether the data packet meets a preset SFC packaging requirement, wherein the SFC packaging requirement comprises the following steps: whether the data packet hits the datapath flow table, whether SFC is required, and whether the service chain information table is hit;
when the data packet meets the preset SFC packaging requirement, performing SFC packaging on the data packet, wherein the SFC packaging comprises the following steps: according to SID information in a service chain information table, packaging an SRH message header, and according to next hop information in the service configuration information, packaging an IPv6 message header;
and sending the encapsulated data packet to a second service node according to the next hop information, wherein the identification of the data packet by the OVS of the second service node comprises the following steps: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not, and whether quintuple in the data packet hits the service chain information table or not are inquired;
and when the identification result passes, judging whether the second service node is a destination address according to the destination address in the IPv6 message header, and when the second service node is the destination address, unpacking the data packet and forwarding the data packet to a vport of the VPC corresponding to the destination address.
In one embodiment, the method further comprises:
acquiring a key field in the data packet, and inquiring whether a record of the key field is contained in the datapath flow table or not;
if the datapath flow table contains the record of the key field, acquiring the action of the key field, and judging whether the action needs to execute SFC operation;
if the action needs to execute SFC operation, acquiring quintuple information, checking whether the service chain information table contains a corresponding record according to the quintuple information, and if the service chain information table contains the corresponding record of the quintuple information, acquiring corresponding SID information in the service chain information table.
In one embodiment, the method further comprises:
if the datapath flow table does not contain the record of the key field, uploading the data packet to a user mode;
acquiring a key field in the data packet by a user mode, and inquiring whether a record of the key field is contained in an openflow flow table;
if the datapath flow table contains the record of the key field, acquiring the action of the key field, including:
and if the openflow flow table contains the record of the key field, acquiring the action of the key field.
In one embodiment, the method further comprises:
and issuing the rule corresponding to the key field in the openflow flow table to a kernel mode to generate a corresponding datapath flow table.
In one embodiment, the method further comprises:
when the second service node is not the destination address, modifying the destination address in the IPv6 message into a next hop node of the second service node, and updating the pointer and the residual hop count in the SRH;
the unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address includes:
and unpacking the data packet and forwarding the data packet to a vport of the VPC corresponding to a next hop node of the second service node.
In one embodiment, the service types in the SFC service chain include:
load balancing, firewall, web security, filter.
The embodiment of the invention provides an SFC implementation device based on SRv6 in a private cloud, which comprises:
the receiving module is used for generating a corresponding business chain rule according to the business configuration information when the business configuration information of the SFC service chain is received, and sending the business chain rule to the OVS, and the OVS generates a service chain information table according to the business chain rule and generates a corresponding datapath flow table;
a sending module, configured to send, based on the first service node in the service configuration information, a corresponding data packet to the OVS, and detect whether the data packet meets a preset SFC encapsulation requirement, where the SFC encapsulation requirement includes: whether the data packet hits the datapath flow table, whether SFC is needed, and whether the service chain information table is hit;
the encapsulation module is used for performing SFC encapsulation on the data packet when the data packet meets the preset SFC encapsulation requirement, and comprises the following steps: according to SID information in a service chain information table, packaging an SRH message header, and according to next hop information in the service configuration information, packaging an IPv6 message header;
an identification module, configured to send the encapsulated packet to a second service node according to the next hop information, where the OVS of the second service node identifies the packet, including: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not, and whether a quintuple in the data packet hits the service chain information table or not are inquired;
and the unpacking module is used for judging whether the second service node is a destination address according to the destination address in the IPv6 message header when the identification result passes, and unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address when the second service node is the destination address.
In one embodiment, the apparatus further comprises:
the query module is used for acquiring the key field in the data packet and querying whether the datapath flow table contains the record of the key field;
a judging module, configured to obtain an action of the key field if the datapath flow table includes the record of the key field, and judge whether the action needs to execute an SFC operation;
and the checking module is used for acquiring quintuple information if the action needs to execute SFC operation, checking whether the service chain information table contains a corresponding record according to the quintuple information, and acquiring corresponding SID information in the service chain information table if the service chain information table contains the corresponding record of the quintuple information.
The embodiment of the invention provides electronic equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the steps of the SRv 6-based SFC realization method in the private cloud.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the above-mentioned SRv 6-based SFC implementation method in a private cloud.
According to the SFC implementation method and device based on SRv6 in the private cloud, when the service configuration information of the service chain of the SFC is received, the corresponding service chain rule is generated according to the service configuration information, the service chain rule is sent to the OVS, and the OVS generates the service chain information table according to the service chain rule and generates the corresponding datapath flow table; based on a first service node in the service configuration information, sending a corresponding data packet to the OVS, and detecting whether the data packet meets a preset SFC packaging requirement, wherein the SFC packaging requirement comprises the following steps: whether the data packet hits the datapath flow table, whether SFC is needed, and whether service chain information table is hit; when the data packet meets the preset SFC packaging requirement, performing SFC packaging on the data packet, wherein the SFC packaging comprises the following steps: according to SID information in the service chain information table, packaging SRH message header, and according to next hop information in the service configuration information, packaging IPv6 message header; and sending the encapsulated data packet to a second service node according to the next hop information, wherein the OVS of the second service node identifies the data packet and comprises the following steps: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not and whether a quintuple in the data packet hits a service chain information table or not are inquired; and when the identification result passes, judging whether the second service node is the destination address according to the destination address in the IPv6 message header, and when the second service node is the destination address, unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address. Therefore, by the method for realizing the SFC in the cloud based on the SRv6, a user can conveniently and quickly use the SFC in the cloud only by issuing the SFC path information and associating the dialogue needing service, the flow is not influenced by the deployment node, and the SFC function can be used anywhere in the cloud. Because the scheme uses the IPv6, the scheme is still applicable when the network scale is enlarged, and because of the characteristic of the SRv6 with the address list, the functions of cloud addressing and the like are optimized, and the speed and the performance are greatly improved.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow diagram of an SFC implementation method based on SRv6 in a private cloud according to an embodiment of the present invention, and as shown in fig. 1, an SFC implementation method based on SRv6 in a private cloud according to an embodiment of the present invention includes:
step S101, when receiving service configuration information of an SFC service chain, generating a corresponding service chain rule according to the service configuration information, sending the service chain rule to an OVS, and the OVS generating a service chain information table and generating a corresponding datapath flow table according to the service chain rule.
Specifically, when Service configuration information for an SFC Service Chain (Service Function Chain) is received, where the Service type in the SFC Service Chain may include, but is not limited to, a load balancing Service, a firewall Service, a web security Service, a filter Service, and the like, then a control plane of a Service system may generate a corresponding Service Chain rule according to the Service configuration information, and send the Service Chain rule to an OVS (Open may be a virtual switch with vSwitch Open source, and an OVS generates a corresponding Service Chain information table, such as quintuple information, and the like, according to the Service Chain rule, and generates a corresponding datapath flow table (a kernel state flow table of the OVS).
Step S102, based on the first service node in the service configuration information, sending a corresponding data packet to an OVS, and detecting whether the data packet meets a preset SFC packaging requirement, wherein the SFC packaging requirement comprises: whether the data packet hits the datapath flow table, whether SFC is required, and whether the service chain information table is hit.
Specifically, based on a first service node, that is, a service initial node, in the service configuration information, a corresponding service data packet is generated and sent to a Virtual machine port of the OVS, where the content of the service data packet may be generated by SFC information of a VPC (Virtual Private Cloud), and after receiving the data packet, an SRv6-SFC identification module in the Virtual machine port of the OVS detects whether the data packet meets a preset SFC encapsulation requirement, where the SFC encapsulation requirement sequentially includes: whether the data packet hits the datapath flow table, whether the SFC is needed, whether the service chain information table is hit, and 3 packaging requirements need to be sequentially met, specifically including:
acquiring a key field in a data packet, and inquiring whether a datapath flow table contains a record of the key field, wherein the key field can comprise information such as an IP field and the like; if the datapath flow table contains the records of the key fields, acquiring the actions of the key fields, and judging whether the actions need to execute SFC operation; if the action needs to execute the SFC operation, acquiring quintuple information, checking whether the service chain information table contains the corresponding record according to the quintuple information, and if the service chain information table contains the corresponding record of the quintuple information, acquiring corresponding SID information in the service chain information table.
Step S103, when the data packet meets the preset SFC packaging requirement, performing SFC packaging on the data packet, including: and packaging an SRH message header according to SID information in a service chain information table, and packaging an IPv6 message header according to next hop information in the service configuration information.
Specifically, when the data packet meets the preset SFC encapsulation requirement, the data packet is sent to the SRv6-SFC processing module of the OVS, and the encapsulation process includes: from the data of VPC (Virtual Private Cloud), SFC packaging operation is carried out according to a routing information list in a service chain information table hit by a quintuple, an SRv6-SFC processing module sequentially presses SID information into an SRH, then a next hop destination address is packaged into an IPv6 message header to form an IPv6-SRH-Payload message, and finally the message is forwarded to a port corresponding to the next hop.
Step S104, sending the encapsulated data packet to a second service node according to the next hop information, wherein the OVS of the second service node identifies the data packet, and the step comprises the following steps: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not, and whether the quintuple in the data packet hits the service chain information table or not are inquired.
Specifically, the encapsulated data packet is sent to the second service node according to the next hop information, and if the physical port in the OVS of the second service node receives the data packet, the data packet is identified by the SRv6-SFC identification module of the OVS, and the identification process sequentially includes: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not, and whether the quintuple in the data packet hits a service chain information table or not are inquired.
And step S105, when the identification result passes, judging whether the second service node is a destination address according to the destination address in the IPv6 message header, and when the second service node is the destination address, unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address.
Specifically, when the identification result of the data packet passes, the data packet is sent to the SRv6-SFC processing module, the SRv6-SFC processing module detects a destination address in an IPv6 packet header, determines whether a second service node is a destination address, and when the second service node is the destination address, unpacks the data packet and forwards the data packet to a vport (window configuration table) of the VPC corresponding to the destination address, that is, if the current SID is the last unpacked service path information, the packet headers such as IPv6, SRH, and the like are sent to the vport corresponding to the corresponding VPC.
In addition, when the second service node is not the destination address, the destination address in the IPv6 message is modified to be the next hop node of the second service node, that is, the destination address of the header of the IPv6 message is updated to the SID value of the next hop, the pointer and the remaining hop count in the SRH are updated, and then the message is forwarded to the vport corresponding to the next hop.
According to the SFC implementation method based on the SRv6 in the private cloud, when the service configuration information of the SFC service chain is received, the corresponding service chain rule is generated according to the service configuration information, the service chain rule is sent to the OVS, and the OVS generates the service chain information table according to the service chain rule and generates the corresponding datapath flow table; based on a first service node in the service configuration information, sending a corresponding data packet to the OVS, and detecting whether the data packet meets a preset SFC packaging requirement, wherein the SFC packaging requirement comprises the following steps: whether the data packet hits the datapath flow table, whether SFC is needed, and whether service chain information table is hit; when the data packet meets the preset SFC packaging requirement, performing SFC packaging on the data packet, wherein the SFC packaging comprises the following steps: according to SID information in the service chain information table, packaging SRH message header, and according to next hop information in the service configuration information, packaging IPv6 message header; and sending the encapsulated data packet to a second service node according to the next hop information, wherein the OVS of the second service node identifies the data packet and comprises the following steps: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not and whether a quintuple in the data packet hits a service chain information table or not are inquired; and when the identification result passes, judging whether the second service node is the destination address according to the destination address in the IPv6 message header, and when the second service node is the destination address, unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address. Therefore, by the method for realizing the SFC in the cloud based on the SRv6, a user can conveniently and quickly use the SFC in the cloud only by issuing the SFC path information and associating the dialogue needing service, the flow is not influenced by the deployment node, and the SFC function can be used anywhere in the cloud. Because the scheme uses the IPv6, the scheme is still applicable when the network scale is enlarged, and because of the characteristic of the SRv6 with the address list, the functions of cloud addressing and the like are optimized, and the speed and the performance are greatly improved.
In another embodiment, the SRv 6-based SFC implementation method in the private cloud may have a case when the OVS in the first service node in the service configuration information receives a data packet for the first time ("when the data packet is received for the first time" or "when the data packet is received and the data packet does not hit the datapath flow table"), as shown in fig. 2 and 3, if the datapath flow table does not include a record of a key field, the data packet is uploaded to the user mode; the user mode acquires a key field in the data packet, and inquires whether the openflow flow table contains a record of the key field; and acquiring action of the key field according to a record containing the key field in the openflow flow table, wherein the subsequent steps are the same as the processing steps in the embodiment, and after unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address, issuing a rule corresponding to the key field in the openflow flow table to a kernel state to generate a corresponding datapath flow table.
Fig. 4 is an SFC implementation apparatus based on SRv6 in a private cloud according to an embodiment of the present invention, including: a receiving module S201, a sending module S202, an encapsulating module S203, an identifying module S204 and an unpacking module S205, wherein:
the receiving module S201 is configured to, when receiving service configuration information of an SFC service chain, generate a corresponding service chain rule according to the service configuration information, and send the service chain rule to the OVS, and the OVS generates a service chain information table according to the service chain rule and generates a corresponding datapath flow table.
A sending module S202, configured to send, based on the first service node in the service configuration information, a corresponding data packet to the OVS, and detect whether the data packet meets a preset SFC encapsulation requirement, where the SFC encapsulation requirement includes: whether the data packet hits the datapath flow table, whether SFC is required, and whether the service chain information table is hit.
The encapsulating module S203 is configured to perform SFC encapsulation on the data packet when the data packet meets a preset SFC encapsulation requirement, and includes: and packaging an SRH message header according to SID information in a service chain information table, and packaging an IPv6 message header according to next hop information in the service configuration information.
An identifying module S204, configured to send the encapsulated data packet to a second service node according to the next hop information, where an OVS of the second service node identifies the data packet, and includes: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not, and whether quintuple in the data packet hits the service chain information table or not are inquired.
And the unpacking module S205 is configured to, when the identification result passes, determine whether the second service node is a destination address according to a destination address in an IPv6 packet header, and when the second service node is the destination address, unpack the data packet and forward the unpacked data packet to the vport of the VPC corresponding to the destination address.
In one embodiment, the apparatus may further comprise:
and the query module is used for acquiring the key field in the data packet and querying whether the datapath flow table contains the record of the key field.
And the judging module is used for acquiring the action of the key field if the datapath flow table contains the record of the key field, and judging whether the action needs to execute SFC operation.
And the checking module is used for acquiring quintuple information if the action needs to execute SFC operation, checking whether the service chain information table contains a corresponding record according to the quintuple information, and acquiring corresponding SID information in the service chain information table if the service chain information table contains the corresponding record of the quintuple information.
For specific limitations of the SRv 6-based SFC implementation apparatus in the private cloud, reference may be made to the above limitations of the SRv 6-based SFC implementation method in the private cloud, and details are not described herein again. The various modules in the SRv 6-based SFC implementation apparatus in the private cloud described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor) 301, a memory (memory) 302, a communication Interface (Communications Interface) 303 and a communication bus 304, wherein the processor 301, the memory 302 and the communication Interface 303 complete communication with each other through the communication bus 304. The processor 301 may call logic instructions in the memory 302 to perform the following method: when receiving the service configuration information of the SFC service chain, generating a corresponding service chain rule according to the service configuration information, sending the service chain rule to the OVS, and generating a service chain information table and a corresponding datapath flow table by the OVS according to the service chain rule; based on a first service node in the service configuration information, sending a corresponding data packet to the OVS, and detecting whether the data packet meets a preset SFC packaging requirement, wherein the SFC packaging requirement comprises the following steps: whether the data packet hits the datapath flow table, whether SFC is needed, and whether service chain information table is hit; when the data packet meets the preset SFC packaging requirement, performing SFC packaging on the data packet, wherein the SFC packaging comprises the following steps: according to SID information in the service chain information table, packaging SRH message header, and according to next hop information in the service configuration information, packaging IPv6 message header; and sending the encapsulated data packet to a second service node according to the next hop information, wherein the OVS of the second service node identifies the data packet and comprises the following steps: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not and whether a quintuple in the data packet hits a service chain information table or not are inquired; and when the identification result passes, judging whether the second service node is the destination address according to the destination address in the IPv6 message header, and when the second service node is the destination address, unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address.
Furthermore, the logic instructions in the memory 302 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and for example, the method includes: when receiving the service configuration information of the SFC service chain, generating a corresponding service chain rule according to the service configuration information, sending the service chain rule to the OVS, and generating a service chain information table and a corresponding datapath flow table by the OVS according to the service chain rule; based on a first service node in the service configuration information, sending a corresponding data packet to the OVS, and detecting whether the data packet meets a preset SFC packaging requirement, wherein the SFC packaging requirement comprises the following steps: whether the data packet hits the datapath flow table, whether SFC is needed, and whether service chain information table is hit; when the data packet meets the preset SFC packaging requirement, performing SFC packaging on the data packet, wherein the SFC packaging comprises the following steps: according to SID information in the service chain information table, packaging SRH message header, and according to next hop information in the service configuration information, packaging IPv6 message header; and sending the encapsulated data packet to a second service node according to the next hop information, wherein the OVS of the second service node identifies the data packet and comprises the following steps: whether the data packet contains an IPv6 message header or not, whether the data packet contains an SRH message header or not and whether a quintuple in the data packet hits a service chain information table or not are inquired; and when the identification result passes, judging whether the second service node is the destination address according to the destination address in the IPv6 message header, and when the second service node is the destination address, unpacking the data packet and forwarding the data packet to the vport of the VPC corresponding to the destination address.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on the understanding, the above technical solutions substantially or otherwise contributing to the prior art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.